commit dc9336ae2690ca00230073331e8524f68a168509 Author: k18ceiec Date: Sat Oct 24 12:08:31 2020 +0600 First commit, at K18-2 Control Center. diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 0000000..f033881 --- /dev/null +++ b/deploy.yml @@ -0,0 +1,128 @@ +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + vars_files: + - install_config/group_vars/adc_global.yml + roles: + - framework + #- kernel-ml + - telegraf_collect + +- hosts: adc_mxn + remote_user: root + roles: +# - tsg-env-mxn + +- hosts: adc_mcn0 + remote_user: root + vars_files: + - install_config/group_vars/adc_global.yml + - install_config/group_vars/adc_mcn0.yml + roles: +# - tsg-env-mcn0 + - mrzcpd + - sapp + - tsg_master +# - kni + - firewall +# - tsg_app + - http_healthcheck +# - packet_dump + - certstore + - cert-redis + - telegraf_statistic +# - tsg_device_tag + +- hosts: adc_mcn1 + remote_user: root + vars_files: + - install_config/group_vars/adc_global.yml + - install_config/group_vars/adc_mcn1.yml + roles: +# - tsg-env-mcn1 + - mrzcpd + - tfe + +- hosts: adc_mcn2 + remote_user: root + vars_files: + - install_config/group_vars/adc_global.yml + - install_config/group_vars/adc_mcn2.yml + roles: +# - tsg-env-mcn2 + - mrzcpd + - tfe + +- hosts: adc_mcn3 + remote_user: root + vars_files: + - install_config/group_vars/adc_global.yml + - install_config/group_vars/adc_mcn3.yml + roles: +# - tsg-env-mcn3 + - mrzcpd + - tfe + +- hosts: adc_mcn0 + remote_user: root + roles: + - tsg-diagnose + +- hosts: + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + roles: + - tsg-diagnose_sync_ca + +- hosts: adc_mcn0 + remote_user: root + roles: + - tsg-diagnose_stop_sync + +- hosts: + - adc_mcn0 + - adc_mcn1 + - adc_mcn2 + - adc_mcn3 + remote_user: root + vars_files: + - install_config/group_vars/adc_global.yml + roles: + - reboot + +- hosts: server-as-tun-mode + remote_user: root + vars_files: + - install_config/group_vars/server_as_tun_mode.yml + roles: + - kernel-ml + - framework + - mrzcpd + - tsg-env-tun-mode + - sapp + - tsg_master + - kni + - firewall + - tsg_app + - http_healthcheck + - packet_dump + - certstore + - cert-redis + - tfe + - telegraf_statistic + - telegraf_collect + - proxy_status +# - tsg_device_tag + - reboot + +- hosts: app_global + remote_user: root + vars_files: + - install_config/group_vars/app_global.yml + roles: + - app_global diff --git a/install_config/group_vars/adc_global.yml b/install_config/group_vars/adc_global.yml new file mode 100644 index 0000000..f970b70 --- /dev/null +++ b/install_config/group_vars/adc_global.yml @@ -0,0 +1,111 @@ +######################################### +#####1: Inline_device; 2: Allot; 3: ADC_Tun_mode; +tsg_access_type: 3 +#####2: ADC; +tsg_running_type: 2 + +######################################## +#Deploy_finished_reboot +Deploy_finished_reboot: 0 + +######################################## +#IP Config +maat_redis_server: + address: "192.168.100.4" + port: 7002 + db: 0 + +dynamic_maat_redis_server: + address: "192.168.100.4" + port: 7002 + db: 0 + +cert_store_server: + address: "192.168.100.1" + port: 9991 + +log_kafkabrokers: + address: "10.4.61.10:9092,10.4.61.11:9092,10.4.61.12:9092,10.4.61.13:9092,10.4.61.14:9092,10.4.61.15:9092,10.4.61.16:9092,10.4.61.17:9092,10.4.61.18:9092,10.4.61.19:9092,10.4.61.20:9092" + +monitor_outputs_influxdb: + url: "http://127.0.0.1:58086" + +log_minio: + address: "10.4.62.253" + port: 9090 + +######################################### +#Log Level Config +#日志等级 10:DEBUG 20:INFO 30:FATAL +fw_ftp_log_level: 30 +fw_mail_log_level: 30 +fw_http_log_level: 30 +fw_dns_log_level: 30 +fw_quic_log_level: 30 +capture_packet_log_level: 30 +tsg_log_level: 30 +tsg_master_log_level: 30 +kni_log_level: 30 + +#日志等级 DEBUG INFO FATAL +tfe_log_level: FATAL +tfe_http_log_level: FATAL +pangu_log_level: FATAL +doh_log_level: FATAL + +certstore_log_level: 30 +packet_dump_log_level: 30 + +####################################### +#Sapp Performance Config +#Sapp工作在ADC计算板0时,建议使用如下30+8的配置,以保证更高的处理性能 +sapp: + worker_threads: 42 + send_only_threads_max: 1 + bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43 + inbound_route_dir: 1 + +######################################## +#Kni Config +kni: + global: + tfe_node_count: 3 + watch_dog: + switch: 1 + maat: + readconf_mode: 2 + send_logger: + switch: 1 + tfe_nodes: + tfe0_enabled: 1 + tfe1_enabled: 1 + tfe2_enabled: 1 + +######################################## +#Tfe Config +tfe: + nr_threads: 32 + mirror_enable: 1 + +######################################## +#Marsio Config +#marsio工作在ADC计算板时,建议使用如下配置,以保证更高的处理性能 +mrzcpd: + iocore: 52,53,54,55 + +mrtunnat: + lcore_id: 48,49,50,51 + +######################################### +#Tsg_app +tsg_app_enable: 0 +app_global_ip: "1.1.1.1" +applog_level: 10 +app_master_log_level: 10 +app_sketch_local_log_level: 10 +app_control_plug_log_level: 10 + + +breakpad_upload_url: http://127.0.0.1/ + +tsg_master_entrance_id: 4 diff --git a/install_config/group_vars/adc_mcn0.yml b/install_config/group_vars/adc_mcn0.yml new file mode 100644 index 0000000..33b4ba6 --- /dev/null +++ b/install_config/group_vars/adc_mcn0.yml @@ -0,0 +1,39 @@ +######################################### +#Mcn0管理口网卡名 +nic_mgr: + name: ens1f3 + +######################################### +#Mcn0流量接入网卡,固定配置 +nic_data_incoming: + name: ens1f4 + +######################################### +#Mcn0其他数据口网卡名配置,固定配置 +nic_inner_ctrl: + name: ens1.100 +nic_to_tfe: + tfe0: + name: ens1f5 + tfe1: + name: ens1f6 + tfe2: + name: ens1f7 + +######################################### +#串联设备接入相关配置 +inline_device_config: + keepalive_ip: 192.168.1.30 + keepalive_mask: 255.255.255.252 + +######################################### +#Allot接入相关配置 +AllotAccess: + virturlInterface_1: ens1f2.103 + virturlInterface_2: ens1f2.104 + virturlID_1: 103 + virturlID_2: 104 + vvipv4_mask: 24 + vvipv6_mask: 64 + +bladename: mcn0 \ No newline at end of file diff --git a/install_config/group_vars/adc_mcn1.yml b/install_config/group_vars/adc_mcn1.yml new file mode 100644 index 0000000..f57e3f0 --- /dev/null +++ b/install_config/group_vars/adc_mcn1.yml @@ -0,0 +1,19 @@ +######################################### +#Mcn1管理口网卡名 +nic_mgr: + name: ens1f3 + +######################################### +#Mcn1流量接入网卡,固定配置 +nic_data_incoming: + name: ens1f1 + +######################################### +#Mcn1其他数据口网卡名配置,固定配置 +nic_inner_ctrl: + name: ens1.100 +nic_traffic_mirror: + name: ens1f2 + use_mrzcpd: 1 + +bladename: mcn1 \ No newline at end of file diff --git a/install_config/group_vars/adc_mcn2.yml b/install_config/group_vars/adc_mcn2.yml new file mode 100644 index 0000000..2e30db3 --- /dev/null +++ b/install_config/group_vars/adc_mcn2.yml @@ -0,0 +1,19 @@ +######################################### +#Mcn2管理口网卡名 +nic_mgr: + name: ens8f3 + +######################################### +#Mcn2流量接入网卡,固定配置 +nic_data_incoming: + name: ens8f1 + +######################################### +#Mcn2其他数据口网卡名配置,固定配置 +nic_inner_ctrl: + name: ens8.100 +nic_traffic_mirror: + name: ens8f2 + use_mrzcpd: 1 + +bladename: mcn2 \ No newline at end of file diff --git a/install_config/group_vars/adc_mcn3.yml b/install_config/group_vars/adc_mcn3.yml new file mode 100644 index 0000000..2f9bb33 --- /dev/null +++ b/install_config/group_vars/adc_mcn3.yml @@ -0,0 +1,19 @@ +######################################### +#Mcn3管理口网卡名 +nic_mgr: + name: ens8f3 + +######################################### +#Mcn3流量接入网卡,固定配置 +nic_data_incoming: + name: ens8f1 + +######################################### +#Mcn3其他数据口网卡名配置,固定配置 +nic_inner_ctrl: + name: ens8.100 +nic_traffic_mirror: + name: ens8f2 + use_mrzcpd: 1 + +bladename: mcn3 \ No newline at end of file diff --git a/install_config/group_vars/app_global.yml b/install_config/group_vars/app_global.yml new file mode 100644 index 0000000..6ae6663 --- /dev/null +++ b/install_config/group_vars/app_global.yml @@ -0,0 +1,10 @@ +######################################### +app_sketch_global_log_level: 10 + +maat_redis_server: + address: "192.168.40.168" + port: 7002 + db: 0 + +file_stat_ip: "1.1.1.1" + diff --git a/install_config/group_vars/server_as_tun_mode.yml b/install_config/group_vars/server_as_tun_mode.yml new file mode 100644 index 0000000..cb8838d --- /dev/null +++ b/install_config/group_vars/server_as_tun_mode.yml @@ -0,0 +1,145 @@ +######################################### +#####0: Pcap; 1: Inline_device; 4: ATCA_Vlan_Flipping; 5:ATCA_VXLAN; +tsg_access_type: 1 +#####0: Tun_mode; 1: normal; +tsg_running_type: 1 + +######################################## +#Deploy_finished_reboot +Deploy_finished_reboot: 1 + +######################################## +#Server Basic Config +nic_mgr: + name: eth0 + +nic_inner_ctrl: + name: eth0.100 + +######################################### +#IP Config +maat_redis_server: + address: "192.168.40.168" + port: 7002 + db: 0 + +dynamic_maat_redis_server: + address: "192.168.40.168" + port: 7002 + db: 0 + +cert_store_server: + address: "192.168.100.1" + port: 9991 + +log_kafkabrokers: + address: "1.1.1.1:9092,2.2.2.2:9092" + +log_minio: + address: "192.168.40.168;" + port: 9090 + +######################################### +#Log Level Config +#日志等级 10:DEBUG 20:INFO 30:FATAL +fw_ftp_log_level: 10 +fw_mail_log_level: 10 +fw_http_log_level: 10 +fw_dns_log_level: 10 +fw_quic_log_level: 10 +capture_packet_log_level: 10 +tsg_log_level: 10 +tsg_master_log_level: 10 +kni_log_level: 10 + + +#日志等级 DEBUG INFO FATAL +tfe_log_level: DEBUG +tfe_http_log_level: DEBUG +pangu_log_level: DEBUG +doh_log_level: DEBUG + +certstore_log_level: 10 +packet_dump_log_level: 10 + +######################################### +#Sapp Performance Config +#如果tsg_access_type=0,sapp跑在pcap模式,则以下配置可忽略 +sapp: + worker_threads: 23 + send_only_threads_max: 1 + bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 + inbound_route_dir: 1 + +######################################### +#Sapp Double-Arm Config +packet_io: + internal_interface: eth2 + external_interface: eth3 + + +######################################### +#Kni Config +kni: + global: + tfe_node_count: 1 + watch_dog: + switch: 1 + maat: + readconf_mode: 2 + send_logger: + switch: 1 + tfe_nodes: + tfe0_enabled: 1 + tfe1_enabled: 0 + tfe2_enabled: 0 + +######################################### +#Tfe Config +tfe: + nr_threads: 32 + mirror_enable: 1 + +######################################### +#Marsio Config +mrzcpd: + iocore: 39 + +mrtunnat: + lcore_id: 38 + +######################################### +#Tsg_app +tsg_app_enable: 1 +app_global_ip: "1.1.1.1" +applog_level: 10 +app_master_log_level: 10 +app_sketch_local_log_level: 10 +app_control_plug_log_level: 10 + +######################################### +#ATCA Config +#下列配置只在tsg_access_type=4时生效 +ATCA_data_incoming: + ethname: enp1s0 + vf0_name: enp1s2 + vf1_name: enp1s2f1 + vf2_name: enp1s2f2 + +ATCA_VlanFlipping: + vlanID_1: 100 + vlanID_2: 101 + vlanID_3: 103 + vlanID_4: 104 + +#下列配置只在tsg_access_type=5时生效 +ATCA_VXLAN: + keepalive_ip: "10.254.19.1" + keepalive_mask: "255.255.255.252" + +######################################### +#Inline Device Config +inline_device_config: + keepalive_ip: 192.168.1.30 + keepalive_mask: 255.255.255.252 + data_incoming: eth5 diff --git a/install_config/hosts b/install_config/hosts new file mode 100644 index 0000000..5c8ad1c --- /dev/null +++ b/install_config/hosts @@ -0,0 +1,44 @@ +################### +# For example # +################### +#变量device_id根据设备序号设置即可 +#变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置,其他环境可不填或直接删除变量 +# +#20.09版本新增APP部署 +#[app_global] +#0.0.0.0 + +#[server-as-tun-mode] +#1.1.1.1 device_id=device_1 +# +#[adc_mxn] +#10.3.72.1 +#10.3.72.2 +# +#[adc_mcn0] +#10.3.73.1 device_id=device_1 vvipv4_1=10.3.61.1 vvipv4_2=10.3.62.1 vvipv6_1=fc00::61:1 vvipv6_2=fc00::62:1 +#10.3.73.2 device_id=device_2 vvipv4_1=10.3.61.2 vvipv4_2=10.3.62.2 vvipv6_1=fc00::61:2 vvipv6_2=fc00::62:2 +# +#[adc_mcn1] +#10.3.74.1 device_id=device_1 +#10.3.74.2 device_id=device_2 +# +#[adc_mcn2] +#10.3.75.1 device_id=device_1 +#10.3.75.2 device_id=device_2 +# +#[adc_mcn3] +#10.3.76.1 device_id=device_1 +#10.3.76.2 device_id=device_2 + +#[app_global] +#[server-as-tun-mode] +#[adc_mxn] +[adc_mcn0] +10.4.51.2 +[adc_mcn1] +10.4.52.2 +[adc_mcn2] +10.4.53.2 +[adc_mcn3] +10.4.54.2 diff --git a/roles/app_global/files/app-sketch-global-1.0.3.202010.a7b2e40-1.el7.x86_64.rpm b/roles/app_global/files/app-sketch-global-1.0.3.202010.a7b2e40-1.el7.x86_64.rpm new file mode 100644 index 0000000..fe7937b Binary files /dev/null and b/roles/app_global/files/app-sketch-global-1.0.3.202010.a7b2e40-1.el7.x86_64.rpm differ diff --git a/roles/app_global/files/emqx-centos7-v4.1.2.x86_64.rpm b/roles/app_global/files/emqx-centos7-v4.1.2.x86_64.rpm new file mode 100644 index 0000000..cb690d9 Binary files /dev/null and b/roles/app_global/files/emqx-centos7-v4.1.2.x86_64.rpm differ diff --git a/roles/app_global/tasks/main.yml b/roles/app_global/tasks/main.yml new file mode 100644 index 0000000..bb4814a --- /dev/null +++ b/roles/app_global/tasks/main.yml @@ -0,0 +1,36 @@ +- name: "copy app_global rpm to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install app rpms from localhost" + yum: + name: + - /tmp/ansible_deploy/emqx-centos7-v4.1.2.x86_64.rpm + - /tmp/ansible_deploy/app-sketch-global-1.0.3.202010.a7b2e40-1.el7.x86_64.rpm + state: present + +- name: "template the app_sketch_global.conf" + template: + src: "{{ role_path }}/templates/app_sketch_global.conf.j2" + dest: /opt/tsg/app-sketch-global/conf/app_sketch_global.conf + +- name: "template the zlog.conf" + template: + src: "{{ role_path }}/templates/zlog.conf.j2" + dest: /opt/tsg/app-sketch-global/conf/zlog.conf + +- name: "Start emqx" + systemd: + name: emqx.service + state: started + enabled: yes + daemon_reload: yes + + +- name: "Start app-sketch-global" + systemd: + name: app-sketch-global.service + state: started + enabled: yes + daemon_reload: yes diff --git a/roles/app_global/templates/app_sketch_global.conf.j2 b/roles/app_global/templates/app_sketch_global.conf.j2 new file mode 100644 index 0000000..058ffb6 --- /dev/null +++ b/roles/app_global/templates/app_sketch_global.conf.j2 @@ -0,0 +1,41 @@ +[SYSTEM] +#1:print on screen, 0:don't +DEBUG_SWITCH = 1 +RUN_LOG_PATH = "conf/zlog.conf" + +[breakpad] +disable_coredump=0 +enable_breakpad=1 +breakpad_minidump_dir=/tmp/app-sketch-global/crashreport +enable_breakpad_upload=0 +breakpad_upload_url={{ breakpad_upload_url }} + +[CONFIG] +#Number of running threads +thread-nu = 1 +timeout = 3600 +address="tcp://127.0.0.1:1883" +topic_name="APP_SIGNATURE_ID" +client_name="ExampleClientSub" + +[maat] +# 0:json 1: redis 2: iris +maat_input_mode=1 +table_info=./resource/table_info.conf +json_cfg_file=./resource/gtest.json +stat_file=logs/verify-policy.status +full_cfg_dir=verify-policy/ +inc_cfg_dir=verify-policy/ + +maat_redis_server={{ maat_redis_server.address }} +maat_redis_port_range={{ maat_redis_server.port }} +maat_redis_db_index={{ maat_redis_server.db }} +effect_interval_s=1 +accept_tags={"tags":[{"tag":"location","value":"Astana"}]} + +[stat] +statsd_server={{ file_stat_ip }} +statsd_port=8100 +statsd_cycle=5 +# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2 +statsd_format=2 diff --git a/roles/app_global/templates/zlog.conf.j2 b/roles/app_global/templates/zlog.conf.j2 new file mode 100644 index 0000000..d9b8218 --- /dev/null +++ b/roles/app_global/templates/zlog.conf.j2 @@ -0,0 +1,12 @@ +[global] +default format = "%d(%c), %V, %F, %U, %m%n" +[levels] +DEBUG=10 +INFO=20 +FATAL=30 +[rules] +*.fatal "./logs/error.log.%d(%F)"; +*.{{ app_sketch_global_log_level }} "./logs/app_sketch_global.log.%d(%F)" + + + diff --git a/roles/cert-redis/files/cert-redis/6379/6379.conf b/roles/cert-redis/files/cert-redis/6379/6379.conf new file mode 100644 index 0000000..7ac299b --- /dev/null +++ b/roles/cert-redis/files/cert-redis/6379/6379.conf @@ -0,0 +1,1052 @@ +# Redis configuration file example. +# +# Note that in order to read the configuration file, Redis must be +# started with the file path as first argument: +# +# ./redis-server /path/to/redis.conf + +# Note on units: when memory size is needed, it is possible to specify +# it in the usual form of 1k 5GB 4M and so forth: +# +# 1k => 1000 bytes +# 1kb => 1024 bytes +# 1m => 1000000 bytes +# 1mb => 1024*1024 bytes +# 1g => 1000000000 bytes +# 1gb => 1024*1024*1024 bytes +# +# units are case insensitive so 1GB 1Gb 1gB are all the same. + +################################## INCLUDES ################################### + +# Include one or more other config files here. This is useful if you +# have a standard template that goes to all Redis servers but also need +# to customize a few per-server settings. Include files can include +# other files, so use this wisely. +# +# Notice option "include" won't be rewritten by command "CONFIG REWRITE" +# from admin or Redis Sentinel. Since Redis always uses the last processed +# line as value of a configuration directive, you'd better put includes +# at the beginning of this file to avoid overwriting config change at runtime. +# +# If instead you are interested in using includes to override configuration +# options, it is better to use include as the last line. +# +# include /path/to/local.conf +# include /path/to/other.conf + +################################## NETWORK ##################################### + +# By default, if no "bind" configuration directive is specified, Redis listens +# for connections from all the network interfaces available on the server. +# It is possible to listen to just one or multiple selected interfaces using +# the "bind" configuration directive, followed by one or more IP addresses. +# +# Examples: +# +# bind 192.168.1.100 10.0.0.1 +# bind $ip ::1 +# +# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the +# internet, binding to all the interfaces is dangerous and will expose the +# instance to everybody on the internet. So by default we uncomment the +# following bind directive, that will force Redis to listen only into +# the IPv4 lookback interface address (this means Redis will be able to +# accept connections only from clients running into the same computer it +# is running). +# +# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES +# JUST COMMENT THE FOLLOWING LINE. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +bind 0.0.0.0 + +# Protected mode is a layer of security protection, in order to avoid that +# Redis instances left open on the internet are accessed and exploited. +# +# When protected mode is on and if: +# +# 1) The server is not binding explicitly to a set of addresses using the +# "bind" directive. +# 2) No password is configured. +# +# The server only accepts connections from clients connecting from the +# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain +# sockets. +# +# By default protected mode is enabled. You should disable it only if +# you are sure you want clients from other hosts to connect to Redis +# even if no authentication is configured, nor a specific set of interfaces +# are explicitly listed using the "bind" directive. +protected-mode yes + +# Accept connections on the specified port, default is 6379 (IANA #815344). +# If port 0 is specified Redis will not listen on a TCP socket. +port 6379 + +# TCP listen() backlog. +# +# In high requests-per-second environments you need an high backlog in order +# to avoid slow clients connections issues. Note that the Linux kernel +# will silently truncate it to the value of /proc/sys/net/core/somaxconn so +# make sure to raise both the value of somaxconn and tcp_max_syn_backlog +# in order to get the desired effect. +tcp-backlog 511 + +# Unix socket. +# +# Specify the path for the Unix socket that will be used to listen for +# incoming connections. There is no default, so Redis will not listen +# on a unix socket when not specified. +# +# unixsocket /tmp/redis.sock +# unixsocketperm 700 + +# Close the connection after a client is idle for N seconds (0 to disable) +timeout 0 + +# TCP keepalive. +# +# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence +# of communication. This is useful for two reasons: +# +# 1) Detect dead peers. +# 2) Take the connection alive from the point of view of network +# equipment in the middle. +# +# On Linux, the specified value (in seconds) is the period used to send ACKs. +# Note that to close the connection the double of the time is needed. +# On other kernels the period depends on the kernel configuration. +# +# A reasonable value for this option is 300 seconds, which is the new +# Redis default starting with Redis 3.2.1. +tcp-keepalive 300 + +################################# GENERAL ##################################### + +# By default Redis does not run as a daemon. Use 'yes' if you need it. +# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. +daemonize yes + +# If you run Redis from upstart or systemd, Redis can interact with your +# supervision tree. Options: +# supervised no - no supervision interaction +# supervised upstart - signal upstart by putting Redis into SIGSTOP mode +# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET +# supervised auto - detect upstart or systemd method based on +# UPSTART_JOB or NOTIFY_SOCKET environment variables +# Note: these supervision methods only signal "process is ready." +# They do not enable continuous liveness pings back to your supervisor. +supervised no + +# If a pid file is specified, Redis writes it where specified at startup +# and removes it at exit. +# +# When the server runs non daemonized, no pid file is created if none is +# specified in the configuration. When the server is daemonized, the pid file +# is used even if not specified, defaulting to "/var/run/redis.pid". +# +# Creating a pid file is best effort: if Redis is not able to create it +# nothing bad happens, the server will start and run normally. +pidfile /var/run/redis_6379.pid + +# Specify the server verbosity level. +# This can be one of: +# debug (a lot of information, useful for development/testing) +# verbose (many rarely useful info, but not a mess like the debug level) +# notice (moderately verbose, what you want in production probably) +# warning (only very important / critical messages are logged) +loglevel notice + +# Specify the log file name. Also the empty string can be used to force +# Redis to log on the standard output. Note that if you use standard +# output for logging but daemonize, logs will be sent to /dev/null +logfile "/opt/tsg/cert-redis/6379/6379.log" + +# To enable logging to the system logger, just set 'syslog-enabled' to yes, +# and optionally update the other syslog parameters to suit your needs. +# syslog-enabled no + +# Specify the syslog identity. +# syslog-ident redis + +# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. +# syslog-facility local0 + +# Set the number of databases. The default database is DB 0, you can select +# a different one on a per-connection basis using SELECT where +# dbid is a number between 0 and 'databases'-1 +databases 16 + +################################ SNAPSHOTTING ################################ +# +# Save the DB on disk: +# +# save +# +# Will save the DB if both the given number of seconds and the given +# number of write operations against the DB occurred. +# +# In the example below the behaviour will be to save: +# after 900 sec (15 min) if at least 1 key changed +# after 300 sec (5 min) if at least 10 keys changed +# after 60 sec if at least 10000 keys changed +# +# Note: you can disable saving completely by commenting out all "save" lines. +# +# It is also possible to remove all the previously configured save +# points by adding a save directive with a single empty string argument +# like in the following example: +# +# save "" + +save 900 1 +save 300 10 +save 60 10000 + +# By default Redis will stop accepting writes if RDB snapshots are enabled +# (at least one save point) and the latest background save failed. +# This will make the user aware (in a hard way) that data is not persisting +# on disk properly, otherwise chances are that no one will notice and some +# disaster will happen. +# +# If the background saving process will start working again Redis will +# automatically allow writes again. +# +# However if you have setup your proper monitoring of the Redis server +# and persistence, you may want to disable this feature so that Redis will +# continue to work as usual even if there are problems with disk, +# permissions, and so forth. +stop-writes-on-bgsave-error yes + +# Compress string objects using LZF when dump .rdb databases? +# For default that's set to 'yes' as it's almost always a win. +# If you want to save some CPU in the saving child set it to 'no' but +# the dataset will likely be bigger if you have compressible values or keys. +rdbcompression yes + +# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. +# This makes the format more resistant to corruption but there is a performance +# hit to pay (around 10%) when saving and loading RDB files, so you can disable it +# for maximum performances. +# +# RDB files created with checksum disabled have a checksum of zero that will +# tell the loading code to skip the check. +rdbchecksum yes + +# The filename where to dump the DB +dbfilename dump.rdb + +# The working directory. +# +# The DB will be written inside this directory, with the filename specified +# above using the 'dbfilename' configuration directive. +# +# The Append Only File will also be created inside this directory. +# +# Note that you must specify a directory here, not a file name. +dir /opt/tsg/cert-redis/6379/ + +################################# REPLICATION ################################# + +# Master-Slave replication. Use slaveof to make a Redis instance a copy of +# another Redis server. A few things to understand ASAP about Redis replication. +# +# 1) Redis replication is asynchronous, but you can configure a master to +# stop accepting writes if it appears to be not connected with at least +# a given number of slaves. +# 2) Redis slaves are able to perform a partial resynchronization with the +# master if the replication link is lost for a relatively small amount of +# time. You may want to configure the replication backlog size (see the next +# sections of this file) with a sensible value depending on your needs. +# 3) Replication is automatic and does not need user intervention. After a +# network partition slaves automatically try to reconnect to masters +# and resynchronize with them. +# +# slaveof + +# If the master is password protected (using the "requirepass" configuration +# directive below) it is possible to tell the slave to authenticate before +# starting the replication synchronization process, otherwise the master will +# refuse the slave request. +# +# masterauth + +# When a slave loses its connection with the master, or when the replication +# is still in progress, the slave can act in two different ways: +# +# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will +# still reply to client requests, possibly with out of date data, or the +# data set may just be empty if this is the first synchronization. +# +# 2) if slave-serve-stale-data is set to 'no' the slave will reply with +# an error "SYNC with master in progress" to all the kind of commands +# but to INFO and SLAVEOF. +# +slave-serve-stale-data yes + +# You can configure a slave instance to accept writes or not. Writing against +# a slave instance may be useful to store some ephemeral data (because data +# written on a slave will be easily deleted after resync with the master) but +# may also cause problems if clients are writing to it because of a +# misconfiguration. +# +# Since Redis 2.6 by default slaves are read-only. +# +# Note: read only slaves are not designed to be exposed to untrusted clients +# on the internet. It's just a protection layer against misuse of the instance. +# Still a read only slave exports by default all the administrative commands +# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve +# security of read only slaves using 'rename-command' to shadow all the +# administrative / dangerous commands. +slave-read-only yes + +# Replication SYNC strategy: disk or socket. +# +# ------------------------------------------------------- +# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY +# ------------------------------------------------------- +# +# New slaves and reconnecting slaves that are not able to continue the replication +# process just receiving differences, need to do what is called a "full +# synchronization". An RDB file is transmitted from the master to the slaves. +# The transmission can happen in two different ways: +# +# 1) Disk-backed: The Redis master creates a new process that writes the RDB +# file on disk. Later the file is transferred by the parent +# process to the slaves incrementally. +# 2) Diskless: The Redis master creates a new process that directly writes the +# RDB file to slave sockets, without touching the disk at all. +# +# With disk-backed replication, while the RDB file is generated, more slaves +# can be queued and served with the RDB file as soon as the current child producing +# the RDB file finishes its work. With diskless replication instead once +# the transfer starts, new slaves arriving will be queued and a new transfer +# will start when the current one terminates. +# +# When diskless replication is used, the master waits a configurable amount of +# time (in seconds) before starting the transfer in the hope that multiple slaves +# will arrive and the transfer can be parallelized. +# +# With slow disks and fast (large bandwidth) networks, diskless replication +# works better. +repl-diskless-sync no + +# When diskless replication is enabled, it is possible to configure the delay +# the server waits in order to spawn the child that transfers the RDB via socket +# to the slaves. +# +# This is important since once the transfer starts, it is not possible to serve +# new slaves arriving, that will be queued for the next RDB transfer, so the server +# waits a delay in order to let more slaves arrive. +# +# The delay is specified in seconds, and by default is 5 seconds. To disable +# it entirely just set it to 0 seconds and the transfer will start ASAP. +repl-diskless-sync-delay 5 + +# Slaves send PINGs to server in a predefined interval. It's possible to change +# this interval with the repl_ping_slave_period option. The default value is 10 +# seconds. +# +# repl-ping-slave-period 10 + +# The following option sets the replication timeout for: +# +# 1) Bulk transfer I/O during SYNC, from the point of view of slave. +# 2) Master timeout from the point of view of slaves (data, pings). +# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). +# +# It is important to make sure that this value is greater than the value +# specified for repl-ping-slave-period otherwise a timeout will be detected +# every time there is low traffic between the master and the slave. +# +# repl-timeout 60 + +# Disable TCP_NODELAY on the slave socket after SYNC? +# +# If you select "yes" Redis will use a smaller number of TCP packets and +# less bandwidth to send data to slaves. But this can add a delay for +# the data to appear on the slave side, up to 40 milliseconds with +# Linux kernels using a default configuration. +# +# If you select "no" the delay for data to appear on the slave side will +# be reduced but more bandwidth will be used for replication. +# +# By default we optimize for low latency, but in very high traffic conditions +# or when the master and slaves are many hops away, turning this to "yes" may +# be a good idea. +repl-disable-tcp-nodelay no + +# Set the replication backlog size. The backlog is a buffer that accumulates +# slave data when slaves are disconnected for some time, so that when a slave +# wants to reconnect again, often a full resync is not needed, but a partial +# resync is enough, just passing the portion of data the slave missed while +# disconnected. +# +# The bigger the replication backlog, the longer the time the slave can be +# disconnected and later be able to perform a partial resynchronization. +# +# The backlog is only allocated once there is at least a slave connected. +# +# repl-backlog-size 1mb + +# After a master has no longer connected slaves for some time, the backlog +# will be freed. The following option configures the amount of seconds that +# need to elapse, starting from the time the last slave disconnected, for +# the backlog buffer to be freed. +# +# A value of 0 means to never release the backlog. +# +# repl-backlog-ttl 3600 + +# The slave priority is an integer number published by Redis in the INFO output. +# It is used by Redis Sentinel in order to select a slave to promote into a +# master if the master is no longer working correctly. +# +# A slave with a low priority number is considered better for promotion, so +# for instance if there are three slaves with priority 10, 100, 25 Sentinel will +# pick the one with priority 10, that is the lowest. +# +# However a special priority of 0 marks the slave as not able to perform the +# role of master, so a slave with priority of 0 will never be selected by +# Redis Sentinel for promotion. +# +# By default the priority is 100. +slave-priority 100 + +# It is possible for a master to stop accepting writes if there are less than +# N slaves connected, having a lag less or equal than M seconds. +# +# The N slaves need to be in "online" state. +# +# The lag in seconds, that must be <= the specified value, is calculated from +# the last ping received from the slave, that is usually sent every second. +# +# This option does not GUARANTEE that N replicas will accept the write, but +# will limit the window of exposure for lost writes in case not enough slaves +# are available, to the specified number of seconds. +# +# For example to require at least 3 slaves with a lag <= 10 seconds use: +# +# min-slaves-to-write 3 +# min-slaves-max-lag 10 +# +# Setting one or the other to 0 disables the feature. +# +# By default min-slaves-to-write is set to 0 (feature disabled) and +# min-slaves-max-lag is set to 10. + +# A Redis master is able to list the address and port of the attached +# slaves in different ways. For example the "INFO replication" section +# offers this information, which is used, among other tools, by +# Redis Sentinel in order to discover slave instances. +# Another place where this info is available is in the output of the +# "ROLE" command of a masteer. +# +# The listed IP and address normally reported by a slave is obtained +# in the following way: +# +# IP: The address is auto detected by checking the peer address +# of the socket used by the slave to connect with the master. +# +# Port: The port is communicated by the slave during the replication +# handshake, and is normally the port that the slave is using to +# list for connections. +# +# However when port forwarding or Network Address Translation (NAT) is +# used, the slave may be actually reachable via different IP and port +# pairs. The following two options can be used by a slave in order to +# report to its master a specific set of IP and port, so that both INFO +# and ROLE will report those values. +# +# There is no need to use both the options if you need to override just +# the port or the IP address. +# +# slave-announce-ip 5.5.5.5 +# slave-announce-port 1234 + +################################## SECURITY ################################### + +# Require clients to issue AUTH before processing any other +# commands. This might be useful in environments in which you do not trust +# others with access to the host running redis-server. +# +# This should stay commented out for backward compatibility and because most +# people do not need auth (e.g. they run their own servers). +# +# Warning: since Redis is pretty fast an outside user can try up to +# 150k passwords per second against a good box. This means that you should +# use a very strong password otherwise it will be very easy to break. +# +# requirepass foobared + +# Command renaming. +# +# It is possible to change the name of dangerous commands in a shared +# environment. For instance the CONFIG command may be renamed into something +# hard to guess so that it will still be available for internal-use tools +# but not available for general clients. +# +# Example: +# +# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 +# +# It is also possible to completely kill a command by renaming it into +# an empty string: +# +# rename-command CONFIG "" +# +# Please note that changing the name of commands that are logged into the +# AOF file or transmitted to slaves may cause problems. + +################################### LIMITS #################################### + +# Set the max number of connected clients at the same time. By default +# this limit is set to 10000 clients, however if the Redis server is not +# able to configure the process file limit to allow for the specified limit +# the max number of allowed clients is set to the current file limit +# minus 32 (as Redis reserves a few file descriptors for internal uses). +# +# Once the limit is reached Redis will close all the new connections sending +# an error 'max number of clients reached'. +# +# maxclients 10000 + +# Don't use more memory than the specified amount of bytes. +# When the memory limit is reached Redis will try to remove keys +# according to the eviction policy selected (see maxmemory-policy). +# +# If Redis can't remove keys according to the policy, or if the policy is +# set to 'noeviction', Redis will start to reply with errors to commands +# that would use more memory, like SET, LPUSH, and so on, and will continue +# to reply to read-only commands like GET. +# +# This option is usually useful when using Redis as an LRU cache, or to set +# a hard memory limit for an instance (using the 'noeviction' policy). +# +# WARNING: If you have slaves attached to an instance with maxmemory on, +# the size of the output buffers needed to feed the slaves are subtracted +# from the used memory count, so that network problems / resyncs will +# not trigger a loop where keys are evicted, and in turn the output +# buffer of slaves is full with DELs of keys evicted triggering the deletion +# of more keys, and so forth until the database is completely emptied. +# +# In short... if you have slaves attached it is suggested that you set a lower +# limit for maxmemory so that there is some free RAM on the system for slave +# output buffers (but this is not needed if the policy is 'noeviction'). +# +# maxmemory + +# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory +# is reached. You can select among five behaviors: +# +# volatile-lru -> remove the key with an expire set using an LRU algorithm +# allkeys-lru -> remove any key according to the LRU algorithm +# volatile-random -> remove a random key with an expire set +# allkeys-random -> remove a random key, any key +# volatile-ttl -> remove the key with the nearest expire time (minor TTL) +# noeviction -> don't expire at all, just return an error on write operations +# +# Note: with any of the above policies, Redis will return an error on write +# operations, when there are no suitable keys for eviction. +# +# At the date of writing these commands are: set setnx setex append +# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd +# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby +# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby +# getset mset msetnx exec sort +# +# The default is: +# +# maxmemory-policy noeviction + +# LRU and minimal TTL algorithms are not precise algorithms but approximated +# algorithms (in order to save memory), so you can tune it for speed or +# accuracy. For default Redis will check five keys and pick the one that was +# used less recently, you can change the sample size using the following +# configuration directive. +# +# The default of 5 produces good enough results. 10 Approximates very closely +# true LRU but costs a bit more CPU. 3 is very fast but not very accurate. +# +# maxmemory-samples 5 + +############################## APPEND ONLY MODE ############################### + +# By default Redis asynchronously dumps the dataset on disk. This mode is +# good enough in many applications, but an issue with the Redis process or +# a power outage may result into a few minutes of writes lost (depending on +# the configured save points). +# +# The Append Only File is an alternative persistence mode that provides +# much better durability. For instance using the default data fsync policy +# (see later in the config file) Redis can lose just one second of writes in a +# dramatic event like a server power outage, or a single write if something +# wrong with the Redis process itself happens, but the operating system is +# still running correctly. +# +# AOF and RDB persistence can be enabled at the same time without problems. +# If the AOF is enabled on startup Redis will load the AOF, that is the file +# with the better durability guarantees. +# +# Please check http://redis.io/topics/persistence for more information. + +appendonly no + +# The name of the append only file (default: "appendonly.aof") + +appendfilename "appendonly.aof" + +# The fsync() call tells the Operating System to actually write data on disk +# instead of waiting for more data in the output buffer. Some OS will really flush +# data on disk, some other OS will just try to do it ASAP. +# +# Redis supports three different modes: +# +# no: don't fsync, just let the OS flush the data when it wants. Faster. +# always: fsync after every write to the append only log. Slow, Safest. +# everysec: fsync only one time every second. Compromise. +# +# The default is "everysec", as that's usually the right compromise between +# speed and data safety. It's up to you to understand if you can relax this to +# "no" that will let the operating system flush the output buffer when +# it wants, for better performances (but if you can live with the idea of +# some data loss consider the default persistence mode that's snapshotting), +# or on the contrary, use "always" that's very slow but a bit safer than +# everysec. +# +# More details please check the following article: +# http://antirez.com/post/redis-persistence-demystified.html +# +# If unsure, use "everysec". + +# appendfsync always +appendfsync everysec +# appendfsync no + +# When the AOF fsync policy is set to always or everysec, and a background +# saving process (a background save or AOF log background rewriting) is +# performing a lot of I/O against the disk, in some Linux configurations +# Redis may block too long on the fsync() call. Note that there is no fix for +# this currently, as even performing fsync in a different thread will block +# our synchronous write(2) call. +# +# In order to mitigate this problem it's possible to use the following option +# that will prevent fsync() from being called in the main process while a +# BGSAVE or BGREWRITEAOF is in progress. +# +# This means that while another child is saving, the durability of Redis is +# the same as "appendfsync none". In practical terms, this means that it is +# possible to lose up to 30 seconds of log in the worst scenario (with the +# default Linux settings). +# +# If you have latency problems turn this to "yes". Otherwise leave it as +# "no" that is the safest pick from the point of view of durability. + +no-appendfsync-on-rewrite no + +# Automatic rewrite of the append only file. +# Redis is able to automatically rewrite the log file implicitly calling +# BGREWRITEAOF when the AOF log size grows by the specified percentage. +# +# This is how it works: Redis remembers the size of the AOF file after the +# latest rewrite (if no rewrite has happened since the restart, the size of +# the AOF at startup is used). +# +# This base size is compared to the current size. If the current size is +# bigger than the specified percentage, the rewrite is triggered. Also +# you need to specify a minimal size for the AOF file to be rewritten, this +# is useful to avoid rewriting the AOF file even if the percentage increase +# is reached but it is still pretty small. +# +# Specify a percentage of zero in order to disable the automatic AOF +# rewrite feature. + +auto-aof-rewrite-percentage 100 +auto-aof-rewrite-min-size 64mb + +# An AOF file may be found to be truncated at the end during the Redis +# startup process, when the AOF data gets loaded back into memory. +# This may happen when the system where Redis is running +# crashes, especially when an ext4 filesystem is mounted without the +# data=ordered option (however this can't happen when Redis itself +# crashes or aborts but the operating system still works correctly). +# +# Redis can either exit with an error when this happens, or load as much +# data as possible (the default now) and start if the AOF file is found +# to be truncated at the end. The following option controls this behavior. +# +# If aof-load-truncated is set to yes, a truncated AOF file is loaded and +# the Redis server starts emitting a log to inform the user of the event. +# Otherwise if the option is set to no, the server aborts with an error +# and refuses to start. When the option is set to no, the user requires +# to fix the AOF file using the "redis-check-aof" utility before to restart +# the server. +# +# Note that if the AOF file will be found to be corrupted in the middle +# the server will still exit with an error. This option only applies when +# Redis will try to read more data from the AOF file but not enough bytes +# will be found. +aof-load-truncated yes + +################################ LUA SCRIPTING ############################### + +# Max execution time of a Lua script in milliseconds. +# +# If the maximum execution time is reached Redis will log that a script is +# still in execution after the maximum allowed time and will start to +# reply to queries with an error. +# +# When a long running script exceeds the maximum execution time only the +# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be +# used to stop a script that did not yet called write commands. The second +# is the only way to shut down the server in the case a write command was +# already issued by the script but the user doesn't want to wait for the natural +# termination of the script. +# +# Set it to 0 or a negative value for unlimited execution without warnings. +lua-time-limit 5000 + +################################ REDIS CLUSTER ############################### +# +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however +# in order to mark it as "mature" we need to wait for a non trivial percentage +# of users to deploy it in production. +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +# +# Normal Redis instances can't be part of a Redis Cluster; only nodes that are +# started as cluster nodes can. In order to start a Redis instance as a +# cluster node enable the cluster support uncommenting the following: +# +# cluster-enabled yes + +# Every cluster node has a cluster configuration file. This file is not +# intended to be edited by hand. It is created and updated by Redis nodes. +# Every Redis Cluster node requires a different cluster configuration file. +# Make sure that instances running in the same system do not have +# overlapping cluster configuration file names. +# +# cluster-config-file nodes-6379.conf + +# Cluster node timeout is the amount of milliseconds a node must be unreachable +# for it to be considered in failure state. +# Most other internal time limits are multiple of the node timeout. +# +# cluster-node-timeout 15000 + +# A slave of a failing master will avoid to start a failover if its data +# looks too old. +# +# There is no simple way for a slave to actually have a exact measure of +# its "data age", so the following two checks are performed: +# +# 1) If there are multiple slaves able to failover, they exchange messages +# in order to try to give an advantage to the slave with the best +# replication offset (more data from the master processed). +# Slaves will try to get their rank by offset, and apply to the start +# of the failover a delay proportional to their rank. +# +# 2) Every single slave computes the time of the last interaction with +# its master. This can be the last ping or command received (if the master +# is still in the "connected" state), or the time that elapsed since the +# disconnection with the master (if the replication link is currently down). +# If the last interaction is too old, the slave will not try to failover +# at all. +# +# The point "2" can be tuned by user. Specifically a slave will not perform +# the failover if, since the last interaction with the master, the time +# elapsed is greater than: +# +# (node-timeout * slave-validity-factor) + repl-ping-slave-period +# +# So for example if node-timeout is 30 seconds, and the slave-validity-factor +# is 10, and assuming a default repl-ping-slave-period of 10 seconds, the +# slave will not try to failover if it was not able to talk with the master +# for longer than 310 seconds. +# +# A large slave-validity-factor may allow slaves with too old data to failover +# a master, while a too small value may prevent the cluster from being able to +# elect a slave at all. +# +# For maximum availability, it is possible to set the slave-validity-factor +# to a value of 0, which means, that slaves will always try to failover the +# master regardless of the last time they interacted with the master. +# (However they'll always try to apply a delay proportional to their +# offset rank). +# +# Zero is the only value able to guarantee that when all the partitions heal +# the cluster will always be able to continue. +# +# cluster-slave-validity-factor 10 + +# Cluster slaves are able to migrate to orphaned masters, that are masters +# that are left without working slaves. This improves the cluster ability +# to resist to failures as otherwise an orphaned master can't be failed over +# in case of failure if it has no working slaves. +# +# Slaves migrate to orphaned masters only if there are still at least a +# given number of other working slaves for their old master. This number +# is the "migration barrier". A migration barrier of 1 means that a slave +# will migrate only if there is at least 1 other working slave for its master +# and so forth. It usually reflects the number of slaves you want for every +# master in your cluster. +# +# Default is 1 (slaves migrate only if their masters remain with at least +# one slave). To disable migration just set it to a very large value. +# A value of 0 can be set but is useful only for debugging and dangerous +# in production. +# +# cluster-migration-barrier 1 + +# By default Redis Cluster nodes stop accepting queries if they detect there +# is at least an hash slot uncovered (no available node is serving it). +# This way if the cluster is partially down (for example a range of hash slots +# are no longer covered) all the cluster becomes, eventually, unavailable. +# It automatically returns available as soon as all the slots are covered again. +# +# However sometimes you want the subset of the cluster which is working, +# to continue to accept queries for the part of the key space that is still +# covered. In order to do so, just set the cluster-require-full-coverage +# option to no. +# +# cluster-require-full-coverage yes + +# In order to setup your cluster make sure to read the documentation +# available at http://redis.io web site. + +################################## SLOW LOG ################################### + +# The Redis Slow Log is a system to log queries that exceeded a specified +# execution time. The execution time does not include the I/O operations +# like talking with the client, sending the reply and so forth, +# but just the time needed to actually execute the command (this is the only +# stage of command execution where the thread is blocked and can not serve +# other requests in the meantime). +# +# You can configure the slow log with two parameters: one tells Redis +# what is the execution time, in microseconds, to exceed in order for the +# command to get logged, and the other parameter is the length of the +# slow log. When a new command is logged the oldest one is removed from the +# queue of logged commands. + +# The following time is expressed in microseconds, so 1000000 is equivalent +# to one second. Note that a negative number disables the slow log, while +# a value of zero forces the logging of every command. +slowlog-log-slower-than 10000 + +# There is no limit to this length. Just be aware that it will consume memory. +# You can reclaim memory used by the slow log with SLOWLOG RESET. +slowlog-max-len 128 + +################################ LATENCY MONITOR ############################## + +# The Redis latency monitoring subsystem samples different operations +# at runtime in order to collect data related to possible sources of +# latency of a Redis instance. +# +# Via the LATENCY command this information is available to the user that can +# print graphs and obtain reports. +# +# The system only logs operations that were performed in a time equal or +# greater than the amount of milliseconds specified via the +# latency-monitor-threshold configuration directive. When its value is set +# to zero, the latency monitor is turned off. +# +# By default latency monitoring is disabled since it is mostly not needed +# if you don't have latency issues, and collecting data has a performance +# impact, that while very small, can be measured under big load. Latency +# monitoring can easily be enabled at runtime using the command +# "CONFIG SET latency-monitor-threshold " if needed. +latency-monitor-threshold 0 + +############################# EVENT NOTIFICATION ############################## + +# Redis can notify Pub/Sub clients about events happening in the key space. +# This feature is documented at http://redis.io/topics/notifications +# +# For instance if keyspace events notification is enabled, and a client +# performs a DEL operation on key "foo" stored in the Database 0, two +# messages will be published via Pub/Sub: +# +# PUBLISH __keyspace@0__:foo del +# PUBLISH __keyevent@0__:del foo +# +# It is possible to select the events that Redis will notify among a set +# of classes. Every class is identified by a single character: +# +# K Keyspace events, published with __keyspace@__ prefix. +# E Keyevent events, published with __keyevent@__ prefix. +# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... +# $ String commands +# l List commands +# s Set commands +# h Hash commands +# z Sorted set commands +# x Expired events (events generated every time a key expires) +# e Evicted events (events generated when a key is evicted for maxmemory) +# A Alias for g$lshzxe, so that the "AKE" string means all the events. +# +# The "notify-keyspace-events" takes as argument a string that is composed +# of zero or multiple characters. The empty string means that notifications +# are disabled. +# +# Example: to enable list and generic events, from the point of view of the +# event name, use: +# +# notify-keyspace-events Elg +# +# Example 2: to get the stream of the expired keys subscribing to channel +# name __keyevent@0__:expired use: +# +# notify-keyspace-events Ex +# +# By default all notifications are disabled because most users don't need +# this feature and the feature has some overhead. Note that if you don't +# specify at least one of K or E, no events will be delivered. +notify-keyspace-events "" + +############################### ADVANCED CONFIG ############################### + +# Hashes are encoded using a memory efficient data structure when they have a +# small number of entries, and the biggest entry does not exceed a given +# threshold. These thresholds can be configured using the following directives. +hash-max-ziplist-entries 512 +hash-max-ziplist-value 64 + +# Lists are also encoded in a special way to save a lot of space. +# The number of entries allowed per internal list node can be specified +# as a fixed maximum size or a maximum number of elements. +# For a fixed maximum size, use -5 through -1, meaning: +# -5: max size: 64 Kb <-- not recommended for normal workloads +# -4: max size: 32 Kb <-- not recommended +# -3: max size: 16 Kb <-- probably not recommended +# -2: max size: 8 Kb <-- good +# -1: max size: 4 Kb <-- good +# Positive numbers mean store up to _exactly_ that number of elements +# per list node. +# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), +# but if your use case is unique, adjust the settings as necessary. +list-max-ziplist-size -2 + +# Lists may also be compressed. +# Compress depth is the number of quicklist ziplist nodes from *each* side of +# the list to *exclude* from compression. The head and tail of the list +# are always uncompressed for fast push/pop operations. Settings are: +# 0: disable all list compression +# 1: depth 1 means "don't start compressing until after 1 node into the list, +# going from either the head or tail" +# So: [head]->node->node->...->node->[tail] +# [head], [tail] will always be uncompressed; inner nodes will compress. +# 2: [head]->[next]->node->node->...->node->[prev]->[tail] +# 2 here means: don't compress head or head->next or tail->prev or tail, +# but compress all nodes between them. +# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] +# etc. +list-compress-depth 0 + +# Sets have a special encoding in just one case: when a set is composed +# of just strings that happen to be integers in radix 10 in the range +# of 64 bit signed integers. +# The following configuration setting sets the limit in the size of the +# set in order to use this special memory saving encoding. +set-max-intset-entries 512 + +# Similarly to hashes and lists, sorted sets are also specially encoded in +# order to save a lot of space. This encoding is only used when the length and +# elements of a sorted set are below the following limits: +zset-max-ziplist-entries 128 +zset-max-ziplist-value 64 + +# HyperLogLog sparse representation bytes limit. The limit includes the +# 16 bytes header. When an HyperLogLog using the sparse representation crosses +# this limit, it is converted into the dense representation. +# +# A value greater than 16000 is totally useless, since at that point the +# dense representation is more memory efficient. +# +# The suggested value is ~ 3000 in order to have the benefits of +# the space efficient encoding without slowing down too much PFADD, +# which is O(N) with the sparse encoding. The value can be raised to +# ~ 10000 when CPU is not a concern, but space is, and the data set is +# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. +hll-sparse-max-bytes 3000 + +# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in +# order to help rehashing the main Redis hash table (the one mapping top-level +# keys to values). The hash table implementation Redis uses (see dict.c) +# performs a lazy rehashing: the more operation you run into a hash table +# that is rehashing, the more rehashing "steps" are performed, so if the +# server is idle the rehashing is never complete and some more memory is used +# by the hash table. +# +# The default is to use this millisecond 10 times every second in order to +# actively rehash the main dictionaries, freeing memory when possible. +# +# If unsure: +# use "activerehashing no" if you have hard latency requirements and it is +# not a good thing in your environment that Redis can reply from time to time +# to queries with 2 milliseconds delay. +# +# use "activerehashing yes" if you don't have such hard requirements but +# want to free memory asap when possible. +activerehashing yes + +# The client output buffer limits can be used to force disconnection of clients +# that are not reading data from the server fast enough for some reason (a +# common reason is that a Pub/Sub client can't consume messages as fast as the +# publisher can produce them). +# +# The limit can be set differently for the three different classes of clients: +# +# normal -> normal clients including MONITOR clients +# slave -> slave clients +# pubsub -> clients subscribed to at least one pubsub channel or pattern +# +# The syntax of every client-output-buffer-limit directive is the following: +# +# client-output-buffer-limit +# +# A client is immediately disconnected once the hard limit is reached, or if +# the soft limit is reached and remains reached for the specified number of +# seconds (continuously). +# So for instance if the hard limit is 32 megabytes and the soft limit is +# 16 megabytes / 10 seconds, the client will get disconnected immediately +# if the size of the output buffers reach 32 megabytes, but will also get +# disconnected if the client reaches 16 megabytes and continuously overcomes +# the limit for 10 seconds. +# +# By default normal clients are not limited because they don't receive data +# without asking (in a push way), but just after a request, so only +# asynchronous clients may create a scenario where data is requested faster +# than it can read. +# +# Instead there is a default limit for pubsub and slave clients, since +# subscribers and slaves receive data in a push fashion. +# +# Both the hard or the soft limit can be disabled by setting them to zero. +client-output-buffer-limit normal 0 0 0 +client-output-buffer-limit slave 256mb 64mb 60 +client-output-buffer-limit pubsub 32mb 8mb 60 + +# Redis calls an internal function to perform many background tasks, like +# closing connections of clients in timeout, purging expired keys that are +# never requested, and so forth. +# +# Not all tasks are performed with the same frequency, but Redis checks for +# tasks to perform according to the specified "hz" value. +# +# By default "hz" is set to 10. Raising the value will use more CPU when +# Redis is idle, but at the same time will make Redis more responsive when +# there are many keys expiring at the same time, and timeouts may be +# handled with more precision. +# +# The range is between 1 and 500, however a value over 100 is usually not +# a good idea. Most users should use the default of 10 and raise this up to +# 100 only in environments where very low latency is required. +hz 10 + +# When a child rewrites the AOF file, if the following option is enabled +# the file will be fsync-ed every 32 MB of data generated. This is useful +# in order to commit the file to the disk more incrementally and avoid +# big latency spikes. +aof-rewrite-incremental-fsync yes diff --git a/roles/cert-redis/files/cert-redis/6379/dump.rdb b/roles/cert-redis/files/cert-redis/6379/dump.rdb new file mode 100644 index 0000000..f38ac69 Binary files /dev/null and b/roles/cert-redis/files/cert-redis/6379/dump.rdb differ diff --git a/roles/cert-redis/files/cert-redis/cert-redis.service b/roles/cert-redis/files/cert-redis/cert-redis.service new file mode 100644 index 0000000..ab4a55f --- /dev/null +++ b/roles/cert-redis/files/cert-redis/cert-redis.service @@ -0,0 +1,16 @@ +[Unit] +Description=Redis persistent key-value database +After=network.target +After=network-online.target +Wants=network-online.target + +[Service] +ExecStart=/usr/local/bin/start-cert-redis +ExecStop=killall redis-server +Type=forking +RuntimeDirectory=redis +RuntimeDirectoryMode=0755 + +[Install] +WantedBy=multi-user.target + diff --git a/roles/cert-redis/files/cert-redis/install.sh b/roles/cert-redis/files/cert-redis/install.sh new file mode 100644 index 0000000..92cabc5 --- /dev/null +++ b/roles/cert-redis/files/cert-redis/install.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# +cp -rf redis-server /usr/local/bin/ +cp -rf redis-cli /usr/local/bin +cp -rf cert-redis.service /usr/lib/systemd/system/ +cp -rf start-cert-redis /usr/local/bin diff --git a/roles/cert-redis/files/cert-redis/redis-cli b/roles/cert-redis/files/cert-redis/redis-cli new file mode 100644 index 0000000..c7418f6 Binary files /dev/null and b/roles/cert-redis/files/cert-redis/redis-cli differ diff --git a/roles/cert-redis/files/cert-redis/redis-server b/roles/cert-redis/files/cert-redis/redis-server new file mode 100644 index 0000000..aaeb37e Binary files /dev/null and b/roles/cert-redis/files/cert-redis/redis-server differ diff --git a/roles/cert-redis/files/cert-redis/start-cert-redis b/roles/cert-redis/files/cert-redis/start-cert-redis new file mode 100644 index 0000000..766be35 --- /dev/null +++ b/roles/cert-redis/files/cert-redis/start-cert-redis @@ -0,0 +1,4 @@ +#!/bin/bash +# + +/usr/local/bin/redis-server /opt/tsg/cert-redis/6379/6379.conf diff --git a/roles/cert-redis/tasks/main.yml b/roles/cert-redis/tasks/main.yml new file mode 100644 index 0000000..c4f4de6 --- /dev/null +++ b/roles/cert-redis/tasks/main.yml @@ -0,0 +1,15 @@ +- name: "copy cert-redis to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /opt/tsg + mode: 0755 + +- name: "install cert-redis" + shell: cd /opt/tsg/cert-redis;sh install.sh + +- name: "start cert-redis" + systemd: + name: cert-redis.service + state: started + daemon_reload: yes + enabled: yes diff --git a/roles/certstore/files/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm b/roles/certstore/files/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm new file mode 100644 index 0000000..492e276 Binary files /dev/null and b/roles/certstore/files/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm differ diff --git a/roles/certstore/files/memory.conf b/roles/certstore/files/memory.conf new file mode 100644 index 0000000..b6613bd --- /dev/null +++ b/roles/certstore/files/memory.conf @@ -0,0 +1,2 @@ +[Service] +MemoryMax=10G \ No newline at end of file diff --git a/roles/certstore/tasks/main.yml b/roles/certstore/tasks/main.yml new file mode 100644 index 0000000..86466cc --- /dev/null +++ b/roles/certstore/tasks/main.yml @@ -0,0 +1,37 @@ +- name: "copy certstore rpm to destination" + synchronize: + src: "{{ role_path }}/files/" + dest: "/tmp/ansible_deploy/" + +- name: Ensures /opt/tsg exists + file: path=/opt/tsg state=directory + tags: mkdir + +- name: install certstore + yum: + name: + - /tmp/ansible_deploy/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm + state: present + +- name: template certstore configure file + template: + src: "{{ role_path }}/templates/cert_store.ini.j2" + dest: /opt/tsg/certstore/conf/cert_store.ini + +- name: template certstore zlog file + template: + src: "{{ role_path }}/templates/zlog.conf.j2" + dest: /opt/tsg/certstore/conf/zlog.conf + +- name: "copy memory limit file to certstore.service.d" + copy: + src: "{{ role_path }}/files/memory.conf" + dest: /etc/systemd/system/certstore.service.d/ + mode: 0644 + +- name: "start certstore" + systemd: + name: certstore.service + state: started + enabled: yes + daemon_reload: yes diff --git a/roles/certstore/templates/cert_store.ini.j2 b/roles/certstore/templates/cert_store.ini.j2 new file mode 100644 index 0000000..c227eed --- /dev/null +++ b/roles/certstore/templates/cert_store.ini.j2 @@ -0,0 +1,58 @@ +[SYSTEM] +#1:print on screen, 0:don't +DEBUG_SWITCH = 1 +RUN_LOG_PATH = "conf/zlog.conf" + +[breakpad] +disable_coredump=0 +enable_breakpad=1 +breakpad_minidump_dir=/tmp/certstore/crashreport +enable_breakpad_upload=0 +breakpad_upload_url= {{ breakpad_upload_url }} + +[CONFIG] +#Number of running threads +thread-nu = 4 +#1 rsync, 0 sync +mode=1 +#Local default root certificate is valid for 30 days by default +expire_after = 30 +#Local default root certificate path +local_debug = 1 +ca_path = ./cert/tango-ca-v3-trust-ca.pem +untrusted_ca_path = ./cert/tango-ca-v3-untrust-ca.pem + +[MAAT] +#Configure the load mode, +#0: using the configuration distribution network +#1: using local json +#2: using Redis reads +maat_json_switch=2 +#When the loading mode is sent to the network, set the scanning configuration modification interval (s). +effective_interval=1 +#Specify the location of the configuration library table file +table_info=./conf/table_info.conf +#Incremental profile path +inc_cfg_dir=./rule/inc/index +#Full profile path +full_cfg_dir=./rule/full/index +#Json file path when json schema is used +pxy_obj_keyring=./conf/pxy_obj_keyring.json + +[LIBEVENT] +#Local monitor port number, default is 9991 +port = 9991 + +[CERTSTORE_REDIS] +#The Redis server IP address and port number where the certificate is stored locally +ip = 127.0.0.1 +port = 6379 + +[MAAT_REDIS] +#Maat monitors the Redsi server IP address and port number +ip = {{ maat_redis_server.address }} +port = {{ maat_redis_server.port }} +dbindex = {{ maat_redis_server.db }} +[stat] +statsd_server=127.0.0.1 +statsd_port=58100 diff --git a/roles/certstore/templates/zlog.conf.j2 b/roles/certstore/templates/zlog.conf.j2 new file mode 100644 index 0000000..4e3cf0d --- /dev/null +++ b/roles/certstore/templates/zlog.conf.j2 @@ -0,0 +1,10 @@ +[global] +default format = "%d(%c), %V, %F, %U, %m%n" +[levels] +DEBUG=10 +INFO=20 +FATAL=30 +[rules] +*.fatal "./logs/error.log.%d(%F)"; +*.{{ certstore_log_level }} "./logs/certstore.log.%d(%F)" + diff --git a/roles/firewall/files/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm b/roles/firewall/files/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm new file mode 100644 index 0000000..96db0f0 Binary files /dev/null and b/roles/firewall/files/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm b/roles/firewall/files/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm new file mode 100644 index 0000000..71cae4b Binary files /dev/null and b/roles/firewall/files/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/dns-2.0.9.b639626-2.el7.x86_64.rpm b/roles/firewall/files/dns-2.0.9.b639626-2.el7.x86_64.rpm new file mode 100644 index 0000000..38b04dc Binary files /dev/null and b/roles/firewall/files/dns-2.0.9.b639626-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm b/roles/firewall/files/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm new file mode 100644 index 0000000..8e8a92f Binary files /dev/null and b/roles/firewall/files/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm b/roles/firewall/files/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm new file mode 100644 index 0000000..26671a1 Binary files /dev/null and b/roles/firewall/files/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm b/roles/firewall/files/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm new file mode 100644 index 0000000..d4b7be9 Binary files /dev/null and b/roles/firewall/files/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm b/roles/firewall/files/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm new file mode 100644 index 0000000..602ab6a Binary files /dev/null and b/roles/firewall/files/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm b/roles/firewall/files/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm new file mode 100644 index 0000000..750c219 Binary files /dev/null and b/roles/firewall/files/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm b/roles/firewall/files/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm new file mode 100644 index 0000000..badb5fe Binary files /dev/null and b/roles/firewall/files/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm b/roles/firewall/files/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm new file mode 100644 index 0000000..0ebd79a Binary files /dev/null and b/roles/firewall/files/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/http-2.0.5.c61ad9a-2.el7.x86_64.rpm b/roles/firewall/files/http-2.0.5.c61ad9a-2.el7.x86_64.rpm new file mode 100644 index 0000000..2b6a7cf Binary files /dev/null and b/roles/firewall/files/http-2.0.5.c61ad9a-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm b/roles/firewall/files/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm new file mode 100644 index 0000000..1eace4e Binary files /dev/null and b/roles/firewall/files/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm b/roles/firewall/files/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm new file mode 100644 index 0000000..b87e069 Binary files /dev/null and b/roles/firewall/files/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/radius-1.0.2.7bddf74-2.el7.x86_64.rpm b/roles/firewall/files/radius-1.0.2.7bddf74-2.el7.x86_64.rpm new file mode 100644 index 0000000..18053a2 Binary files /dev/null and b/roles/firewall/files/radius-1.0.2.7bddf74-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/ssl-1.0.9.69f3742-2.el7.x86_64.rpm b/roles/firewall/files/ssl-1.0.9.69f3742-2.el7.x86_64.rpm new file mode 100644 index 0000000..1f3597a Binary files /dev/null and b/roles/firewall/files/ssl-1.0.9.69f3742-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm b/roles/firewall/files/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm new file mode 100644 index 0000000..cba9d25 Binary files /dev/null and b/roles/firewall/files/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/tsg_master-3.3.0.5fcfdae-2.el7.x86_64.rpm b/roles/firewall/files/tsg_master-3.3.0.5fcfdae-2.el7.x86_64.rpm new file mode 100644 index 0000000..bba14f2 Binary files /dev/null and b/roles/firewall/files/tsg_master-3.3.0.5fcfdae-2.el7.x86_64.rpm differ diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..b3cda52 --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,47 @@ +--- +- name: "copy firewall rpms to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install firewall packages" + yum: + name: "{{ fw_packages }}" + state: present + skip_broken: yes + vars: + fw_packages: + - /tmp/ansible_deploy/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm + - /tmp/ansible_deploy/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm + - /tmp/ansible_deploy/dns-2.0.9.b639626-2.el7.x86_64.rpm + - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm + - /tmp/ansible_deploy/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm + - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm + - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm + - /tmp/ansible_deploy/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm + - /tmp/ansible_deploy/ssl-1.0.9.69f3742-2.el7.x86_64.rpm + - /tmp/ansible_deploy/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm + +- name: "Template the tsgconf/main.conf" + template: + src: "{{ role_path }}/templates/main.conf.j2" + dest: /home/mesasoft/sapp_run/tsgconf/main.conf + tags: template + + +- name: "Template the tsgconf/maat.conf" + template: + src: "{{ role_path }}/templates/maat.conf.j2" + dest: /home/mesasoft/sapp_run/tsgconf/maat.conf + tags: template + +- name: "Template the conf/capture_packet_plug.conf.j2" + template: + src: "{{ role_path }}/templates/capture_packet_plug.conf.j2" + dest: /home/mesasoft/sapp_run/conf/capture_packet_plug.conf + tags: template diff --git a/roles/firewall/templates/capture_packet_plug.conf.j2 b/roles/firewall/templates/capture_packet_plug.conf.j2 new file mode 100644 index 0000000..bea5f89 --- /dev/null +++ b/roles/firewall/templates/capture_packet_plug.conf.j2 @@ -0,0 +1,25 @@ +[MAAT] +MAAT_MODE=2 +#EFFECTIVE_FLAG= +STAT_SWITCH=1 +PERF_SWITCH=1 +TABLE_INFO=conf/capture_packet_tableinfo.conf +STAT_FILE=capture_packet_maat.status +EFFECT_INTERVAL_S=1 +REDIS_IP={{ maat_redis_server.address }} +REDIS_PORT_NUM=1 +REDIS_PORT={{ maat_redis_server.port }} +REDIS_INDEX=0 +JSON_CFG_FILE=conf/capture_packet_maat.json +INC_CFG_DIR=capture_packet_rule/inc/index/ +FULL_CFG_DIR=capture_packet_rule/full/index/ + +[LOG] +NIC_NAME={{ nic_mgr.name }} +BROKER_LIST={{ log_kafkabrokers.address }} +FIELD_FILE=conf/capture_packet_log_field.conf + +[SYSTEM] +LOG_LEVEL={{ capture_packet_log_level }} +LOG_PATH=./tsglog/capture_packet_plug/capture_packet + diff --git a/roles/firewall/templates/maat.conf.j2 b/roles/firewall/templates/maat.conf.j2 new file mode 100644 index 0000000..2980fe1 --- /dev/null +++ b/roles/firewall/templates/maat.conf.j2 @@ -0,0 +1,32 @@ +[STATIC] +###0:location 1:json 2:redis +MAAT_MODE=2 +STAT_SWITCH=1 +PERF_SWITCH=1 +TABLE_INFO=tsgconf/tsg_static_tableinfo.conf +STAT_FILE=tsg_static_maat.status +EFFECT_INTERVAL_S=1 +REDIS_IP={{ maat_redis_server.address }} +REDIS_PORT_NUM=1 +REDIS_PORT=7002 +REDIS_INDEX=0 +JSON_CFG_FILE=tsgconf/tsg_maat.json +INC_CFG_DIR=tsgrule/inc/index/ +FULL_CFG_DIR=tsgrule/full/index/ + +[DYNAMIC] +###0:location 1:json 2:redis +MAAT_MODE=2 +STAT_SWITCH=1 +PERF_SWITCH=1 +TABLE_INFO=tsgconf/tsg_dynamic_tableinfo.conf +STAT_FILE=tsg_dynamic_maat.status +EFFECT_INTERVAL_S=1 +REDIS_IP={{ dynamic_maat_redis_server.address }} +REDIS_PORT_NUM=1 +REDIS_PORT=7002 +REDIS_INDEX=1 +JSON_CFG_FILE=tsgconf/tsg_maat.json +INC_CFG_DIR=tsgrule/inc/index/ +FULL_CFG_DIR=tsgrule/full/index/ + diff --git a/roles/firewall/templates/main.conf.j2 b/roles/firewall/templates/main.conf.j2 new file mode 100644 index 0000000..572b95b --- /dev/null +++ b/roles/firewall/templates/main.conf.j2 @@ -0,0 +1,57 @@ +[FTP_PLUG] +LOG_PATH="./tsglog/fw_ftp_plug/fw_ftp_plug" +LOG_LEVEL={{ fw_ftp_log_level }} +TIMEOUT=600 + +[MAIL_PLUG] +LOG_PATH="./tsglog/fw_mail_plug/fw_mail_plug" +LOG_LEVEL={{ fw_mail_log_level }} +TIMEOUT=600 + +[HTTP_PLUG] +LOG_PATH="./tsglog/fw_http_plug/fw_http_plug" +LOG_LEVEL={{ fw_http_log_level }} + +[DNS_PLUG] +LOG_PATH="./tsglog/fw_dns_plug/fw_dns_plug" +LOG_LEVEL={{ fw_dns_log_level }} + +[QUIC_PLUG] +LOG_PATH="./tsglog/fw_quic_plug/fw_quic_plug" +LOG_LEVEL={{ fw_quic_log_level }} + +[MAAT] +PROFILE="./tsgconf/maat.conf" +SUBSCRIBER_ID_TABLE="TSG_OBJ_SUBSCRIBER_ID" +CB_SUBSCRIBER_IP_TABLE="TSG_DYN_SUBSCRIBER_IP" +IP_ADDR_TABLE="TSG_SECURITY_ADDR" + +[TSG_LOG] +MODE=1 +NIC_NAME="{{ nic_mgr.name }}" +MAX_SERVICE=1 +LOG_LEVEL={{ tsg_log_level }} +LOG_PATH="./tsglog/tsglog" +BROKER_LIST="{{ log_kafkabrokers.address }}" +COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf" + +[STATISTIC] +CYCLE=5 +TELEGRAF_PORT=8100 +TELEGRAF_IP="127.0.0.1" +OUTPUT_PATH="./tsg_statistic.log" +APP_NAME="statistic" + +[FIELD_STAT] +CYCLE=5 +TELEGRAF_PORT=8100 +TELEGRAF_IP="127.0.0.1" +OUTPUT_PATH="./tsg_stat.log" +APP_NAME="tsg_master" + +[SYSTEM] +ENTRANCE_ID={{ tsg_master_entrance_id }} +LOG_LEVEL={{ tsg_master_log_level }} +LOG_PATH="./tsglog/tsg_master" +POLICY_PRIORITY_LABEL="POLICY_PRIORITY" +DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'ADC' '{print $2}'" \ No newline at end of file diff --git a/roles/framework/files/framework.conf b/roles/framework/files/framework.conf new file mode 100644 index 0000000..28152a9 --- /dev/null +++ b/roles/framework/files/framework.conf @@ -0,0 +1 @@ +/opt/MESA/lib/ diff --git a/roles/framework/files/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm b/roles/framework/files/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm new file mode 100644 index 0000000..e217ac8 Binary files /dev/null and b/roles/framework/files/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm b/roles/framework/files/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm new file mode 100644 index 0000000..98525ab Binary files /dev/null and b/roles/framework/files/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm b/roles/framework/files/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm new file mode 100644 index 0000000..dd04541 Binary files /dev/null and b/roles/framework/files/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm b/roles/framework/files/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm new file mode 100644 index 0000000..5a45e4e Binary files /dev/null and b/roles/framework/files/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm b/roles/framework/files/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm new file mode 100644 index 0000000..8ffff2b Binary files /dev/null and b/roles/framework/files/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm b/roles/framework/files/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm new file mode 100644 index 0000000..8681621 Binary files /dev/null and b/roles/framework/files/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm b/roles/framework/files/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm new file mode 100644 index 0000000..448184a Binary files /dev/null and b/roles/framework/files/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm b/roles/framework/files/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm new file mode 100644 index 0000000..7c3ee89 Binary files /dev/null and b/roles/framework/files/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm b/roles/framework/files/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm new file mode 100644 index 0000000..7620c25 Binary files /dev/null and b/roles/framework/files/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm b/roles/framework/files/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm new file mode 100644 index 0000000..d94f5d8 Binary files /dev/null and b/roles/framework/files/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/librdkafka-0.11.4-1.el7.x86_64.rpm b/roles/framework/files/librdkafka-0.11.4-1.el7.x86_64.rpm new file mode 100644 index 0000000..dd12e43 Binary files /dev/null and b/roles/framework/files/librdkafka-0.11.4-1.el7.x86_64.rpm differ diff --git a/roles/framework/files/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm b/roles/framework/files/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm new file mode 100644 index 0000000..d709550 Binary files /dev/null and b/roles/framework/files/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm b/roles/framework/files/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm new file mode 100644 index 0000000..3ab7428 Binary files /dev/null and b/roles/framework/files/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm b/roles/framework/files/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm new file mode 100644 index 0000000..7b5a44b Binary files /dev/null and b/roles/framework/files/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/lz4-1.7.5-3.el7.x86_64.rpm b/roles/framework/files/lz4-1.7.5-3.el7.x86_64.rpm new file mode 100644 index 0000000..07035f1 Binary files /dev/null and b/roles/framework/files/lz4-1.7.5-3.el7.x86_64.rpm differ diff --git a/roles/framework/tasks/main.yml b/roles/framework/tasks/main.yml new file mode 100644 index 0000000..d6c5d05 --- /dev/null +++ b/roles/framework/tasks/main.yml @@ -0,0 +1,40 @@ +- name: "copy framework rpms to destination server" + synchronize: + src: "{{ role_path }}/files/" + dest: "/tmp/ansible_deploy/" + +- name: "install framework packages" + yum: + name: "{{ packages }}" + state: present + skip_broken: yes + vars: + packages: + - /tmp/ansible_deploy/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm + - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm + - /tmp/ansible_deploy/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm + - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm + - /tmp/ansible_deploy/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm + +- name: "mkdir /etc/ld.so.conf.d/" + file: + path: /etc/ld.so.conf.d/ + state: directory + +- name: "copy framework.conf to destination server" + copy: + src: "{{ role_path }}/files/framework.conf" + dest: /etc/ld.so.conf.d/ + +- name: "update ld" + command: ldconfig diff --git a/roles/http_healthcheck/files/http_healthcheck-20.04-1.el7.x86_64.rpm b/roles/http_healthcheck/files/http_healthcheck-20.04-1.el7.x86_64.rpm new file mode 100644 index 0000000..eff24ad Binary files /dev/null and b/roles/http_healthcheck/files/http_healthcheck-20.04-1.el7.x86_64.rpm differ diff --git a/roles/http_healthcheck/tasks/main.yml b/roles/http_healthcheck/tasks/main.yml new file mode 100644 index 0000000..e60b08a --- /dev/null +++ b/roles/http_healthcheck/tasks/main.yml @@ -0,0 +1,10 @@ +- name: "copy http_healthcheck rpm to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install http_healthcheck from localhost" + yum: + name: + - /tmp/ansible_deploy/http_healthcheck-20.04-1.el7.x86_64.rpm + state: present diff --git a/roles/kernel-ml/files/dkms-2.7.1-1.el7.noarch.rpm b/roles/kernel-ml/files/dkms-2.7.1-1.el7.noarch.rpm new file mode 100644 index 0000000..e5a68ba Binary files /dev/null and b/roles/kernel-ml/files/dkms-2.7.1-1.el7.noarch.rpm differ diff --git a/roles/kernel-ml/files/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm b/roles/kernel-ml/files/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm new file mode 100644 index 0000000..b31fff6 Binary files /dev/null and b/roles/kernel-ml/files/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm differ diff --git a/roles/kernel-ml/files/grub b/roles/kernel-ml/files/grub new file mode 100644 index 0000000..3fcd5fe --- /dev/null +++ b/roles/kernel-ml/files/grub @@ -0,0 +1,8 @@ +GRUB_TIMEOUT=5 +GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" +GRUB_DEFAULT=saved +GRUB_DISABLE_SUBMENU=true +GRUB_TERMINAL="serial console" +GRUB_SERIAL_COMMAND="serial --speed=115200" +GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,115200 intel_iommu=on iommu=pt pci=realloc,assign-busses" +GRUB_DISABLE_RECOVERY="true" diff --git a/roles/kernel-ml/files/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm b/roles/kernel-ml/files/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm new file mode 100644 index 0000000..6fefdec Binary files /dev/null and b/roles/kernel-ml/files/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm differ diff --git a/roles/kernel-ml/files/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm b/roles/kernel-ml/files/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm new file mode 100644 index 0000000..1dd97ca Binary files /dev/null and b/roles/kernel-ml/files/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm differ diff --git a/roles/kernel-ml/files/pkgconfig-0.27.1-4.el7.x86_64.rpm b/roles/kernel-ml/files/pkgconfig-0.27.1-4.el7.x86_64.rpm new file mode 100644 index 0000000..d37c601 Binary files /dev/null and b/roles/kernel-ml/files/pkgconfig-0.27.1-4.el7.x86_64.rpm differ diff --git a/roles/kernel-ml/files/zlib-devel-1.2.7-17.el7.x86_64.rpm b/roles/kernel-ml/files/zlib-devel-1.2.7-17.el7.x86_64.rpm new file mode 100644 index 0000000..fb29222 Binary files /dev/null and b/roles/kernel-ml/files/zlib-devel-1.2.7-17.el7.x86_64.rpm differ diff --git a/roles/kernel-ml/tasks/main.yml b/roles/kernel-ml/tasks/main.yml new file mode 100644 index 0000000..15f0579 --- /dev/null +++ b/roles/kernel-ml/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: "copy framework rpms to destination server" + synchronize: + src: "{{ role_path }}/files/" + dest: "/tmp/ansible_deploy/" + +- name: "install kernels-ml" + yum: + name: + - /tmp/ansible_deploy/pkgconfig-0.27.1-4.el7.x86_64.rpm + - /tmp/ansible_deploy/zlib-devel-1.2.7-17.el7.x86_64.rpm + - /tmp/ansible_deploy/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm + - /tmp/ansible_deploy/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm + - /tmp/ansible_deploy/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm + - /tmp/ansible_deploy/dkms-2.7.1-1.el7.noarch.rpm + state: present + register: t_kernel_ml + +- name: "set kernel-ml as default kernel" + command: /usr/sbin/grub2-set-default 0 + when: t_kernel_ml.changed + +- name: "copy /etc/default/grub" + copy: + src: "{{ role_path }}/files/grub" + dest: "/etc/default" + when: + - tsg_access_type == 4 + - t_kernel_ml.changed + +- name: "BIOS:grub2-mkconfig" + shell: grub2-mkconfig -o /boot/grub2/grub.cfg + when: + - tsg_access_type == 4 + - t_kernel_ml.changed + +- name: "UEFI:grub2-mkconfig" + shell: grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg + when: + - tsg_access_type == 4 + - t_kernel_ml.changed + +#- name: "reboot" +# reboot: +# when: t_kernel_ml.changed diff --git a/roles/kni/files/kni-20.10.20201019.3f20d93-2.el7.x86_64.rpm b/roles/kni/files/kni-20.10.20201019.3f20d93-2.el7.x86_64.rpm new file mode 100644 index 0000000..8e8bdd6 Binary files /dev/null and b/roles/kni/files/kni-20.10.20201019.3f20d93-2.el7.x86_64.rpm differ diff --git a/roles/kni/tasks/main.yml b/roles/kni/tasks/main.yml new file mode 100644 index 0000000..408736a --- /dev/null +++ b/roles/kni/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: "copy kni to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install kni rpms from localhost" + yum: + name: + - /tmp/ansible_deploy/kni-20.10.20201019.3f20d93-2.el7.x86_64.rpm + state: present +# skip_broken: yes + +- name: Template the kni.conf + template: + src: "{{ role_path }}/templates/kni.conf.j2" + dest: /home/mesasoft/sapp_run/etc/kni/kni.conf + tags: template + +- name: "enable sapp" + systemd: + name: sapp + enabled: yes + daemon_reload: yes diff --git a/roles/kni/templates/kni.conf.j2 b/roles/kni/templates/kni.conf.j2 new file mode 100644 index 0000000..cb7ce6d --- /dev/null +++ b/roles/kni/templates/kni.conf.j2 @@ -0,0 +1,144 @@ +[global] +log_path = ./log/kni/kni.log +log_level = {{ kni_log_level }} +tfe_node_count = {{ kni.global.tfe_node_count }} +manage_eth = {{ nic_mgr.name }} +{% if tsg_running_type != 2 %} +deploy_mode = tun +{% else %} +deploy_mode = normal +{% endif %} +tun_name = tun_kni +src_mac_addr = 00:0e:c6:d6:72:c1 +dst_mac_addr = fe:65:b7:03:50:bd +{% if tsg_access_type == 4 %} +[tfe0] +enabled = 1 +dev_eth_symbol = {{ ATCA_data_incoming.vf1_name }} +ip_addr = 192.168.100.1 +{% elif tsg_running_type == 2 %} +[tfe0] +enabled = {{ kni.tfe_nodes.tfe0_enabled }} +dev_eth_symbol = {{ nic_to_tfe.tfe0.name }} +ip_addr = 192.168.100.2 + +[tfe1] +enabled = {{ kni.tfe_nodes.tfe1_enabled }} +dev_eth_symbol = {{ nic_to_tfe.tfe1.name }} +ip_addr = 192.168.100.3 + +[tfe2] +enabled = {{ kni.tfe_nodes.tfe2_enabled }} +dev_eth_symbol = {{ nic_to_tfe.tfe2.name }} +ip_addr = 192.168.100.4 +{% endif %} + +[tfe_cmsg_receiver] +listen_eth = {{ nic_inner_ctrl.name }} +listen_port = 2475 + +[watch_dog] +switch = {{ kni.watch_dog.switch }} +listen_eth = {{ nic_inner_ctrl.name }} +listen_port = 2476 +keepalive_idle = 2 +keepalive_intvl = 1 +keepalive_cnt = 3 + +[marsio] +appsym = knifw + +[dup_traffic] +switch = 1 +action = 2 +capacity = 10000000 +error_rate = 0.00001 +expiry_time = 60 + +[traceid2pme_htable] +mho_screen_print_ctrl = 0 +mho_thread_safe = 1 +mho_mutex_num = 160 +mho_hash_slot_size = 640000 +mho_hash_max_element_num = 2560000 +mho_expire_time = 30 +mho_eliminate_type = LRU + +#per thread +[tuple2stream_htable] +mho_screen_print_ctrl = 0 +mho_thread_safe = 0 +mho_mutex_num = 160 +mho_hash_slot_size = 80000 +mho_hash_max_element_num = 320000 +mho_expire_time = 0 +mho_eliminate_type = LRU + +[field_stat] +remote_switch = 1 +remote_ip = 127.0.0.1 +remote_port = 58100 +local_path = ./fs2_kni.status +stat_cycle = 1 +print_mode = 1 +# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE +statsd_format = 2 +APP_NAME = fs2_kni + +#self test Shunt rules security policy id +[tsg_diagnose] +enabled = 1 +security_policy_id = 3,10 + + +[ssl_dynamic_bypass] +enabled = 1 + +#kni dynamic bypass +[traceid2sslinfo_htable] +mho_screen_print_ctrl = 0 +mho_thread_safe = 1 +mho_mutex_num = 160 +mho_hash_slot_size = 80000 +mho_hash_max_element_num = 320000 +mho_expire_time = 300 +mho_eliminate_type = FIFO + +[sslinfo2bypass_htable] +mho_screen_print_ctrl = 0 +mho_thread_safe = 1 +mho_mutex_num = 160 +mho_hash_slot_size = 640000 +mho_hash_max_element_num = 2560000 +mho_expire_time = 300 +mho_eliminate_type = FIFO + +[proxy_tcp_option] +enabled = 1 +maat_table_compile = PXY_TCP_OPTION_COMPILE +maat_table_addr = PXY_TCP_OPTION_ADDR +maat_table_fqdn = PXY_TCP_OPTION_SERVER_FQDN +enable_override = 0 +client_tcp_maxseg_enable = 0 +client_tcp_maxseg = 1460 +client_tcp_nodelay = 1 +client_tcp_ttl = 70 +client_tcp_keepalive_enable = 1 +client_tcp_keepalive_keepcnt = 8 +client_tcp_keepalive_keepidle = 30 +client_tcp_keepalive_keepintvl = 15 +client_tcp_user_timeout = 600 +server_tcp_maxseg_enable = 0 +server_tcp_maxseg = 1460 +server_tcp_nodelay = 1 +server_tcp_ttl = 75 +server_tcp_keepalive_enable = 1 +server_tcp_keepalive_keepcnt = 8 +server_tcp_keepalive_keepidle = 30 +server_tcp_keepalive_keepintvl = 15 +server_tcp_user_timeout = 600 +bypass_duplicated_packet = 0 +tcp_passthrough = 0 + +[share_session_attribute] +SESSION_ATTRIBUTE_LABEL=TSG_MASTER_INTERNAL_LABEL diff --git a/roles/mrzcpd/files/memory.conf b/roles/mrzcpd/files/memory.conf new file mode 100644 index 0000000..5de1253 --- /dev/null +++ b/roles/mrzcpd/files/memory.conf @@ -0,0 +1,2 @@ +[Service] +MemoryMax=100G \ No newline at end of file diff --git a/roles/mrzcpd/files/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm b/roles/mrzcpd/files/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm new file mode 100644 index 0000000..153a869 Binary files /dev/null and b/roles/mrzcpd/files/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm differ diff --git a/roles/mrzcpd/tasks/main.yml b/roles/mrzcpd/tasks/main.yml new file mode 100644 index 0000000..5715f82 --- /dev/null +++ b/roles/mrzcpd/tasks/main.yml @@ -0,0 +1,186 @@ +--- +- name: "copy mrzcpd to destination server" + synchronize: + src: "{{ role_path }}/files/" + dest: "/tmp/ansible_deploy/" + +- name: "install mrzcpd" + yum: + name: /tmp/ansible_deploy/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm + state: present + +- name: "update sysconfig/mrzcpd" + template: + src: "{{ role_path }}/templates/mrzcpd.j2" + dest: /etc/sysconfig/mrzcpd + +- name: "update mrglobal.conf - traffic_mirror" + template: + src: "{{ role_path }}/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: nic_traffic_mirror is defined + + +- name: "copy mrapp.sapp4.conf to destination server" + template: + src: "{{ role_path }}/templates/mrapp.sapp4.conf " + dest: /opt/mrzcpd/etc/mrapp.sapp4.conf + when: + - tsg_access_type == 4 + +- name: "update mrglobal.conf.adc_inline" + template: + src: "{{ role_path }}/templates/adc_inline/mrglobal.conf.adc_inline.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 1 + - tsg_running_type == 2 + +- name: "update mrglobal.conf.server_inline" + template: + src: "{{ role_path }}/templates/server_inline/mrglobal.conf.server_inline.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 1 + - tsg_running_type != 2 + +- name: "update mrglobal.conf.allot - mcn0" + template: + src: "{{ role_path }}/templates/allot_access/mrglobal.conf.allot_access.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 2 + +- name: "update mrglobal.conf.adc_tun_mode - mcn0" + template: + src: "{{ role_path }}/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 3 + + +- name: "update mrglobal.conf.ATCA_Vlan_Flipping" + template: + src: "{{ role_path }}/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 4 + +- name: "update mrglobal.conf.ATCA_VXLAN" + template: + src: "{{ role_path }}/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 5 + +- name: "update mrtunnat.conf.adc_inline" + template: + src: "{{ role_path }}/templates/adc_inline/mrtunnat.conf.adc_inline.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 1 + - tsg_running_type == 2 + +- name: "update mrtunnat.conf.server_inline" + template: + src: "{{ role_path }}/templates/server_inline/mrtunnat.conf.server_inline.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 1 + - tsg_running_type != 2 + +- name: "update mrtunnat.conf.allot_access - mcn0" + template: + src: "{{ role_path }}/templates/allot_access/mrtunnat.conf.allot_access.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 2 + +- name: "update mrtunnat.conf.adc_tun_mode - mcn0" + template: + src: "{{ role_path }}/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 3 + +- name: "update mrtunnat.conf.ATCA_Vlan_Flipping" + template: + src: "{{ role_path }}/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 4 + +- name: "update mrtunnat.conf.ATCA_VXLAN" + template: + src: "{{ role_path }}/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 5 + +- name: "enable mrenv" + systemd: + name: mrenv + enabled: yes + daemon_reload: yes + when: + - tsg_access_type != 0 + +- name: "enable mrzcpd" + systemd: + name: mrzcpd + enabled: yes + daemon_reload: yes + when: + - tsg_access_type != 0 + +- name: "enable mrtunnat on master" + systemd: + name: mrtunnat + enabled: yes + daemon_reload: yes + when: + - nic_traffic_mirror is not defined + - tsg_access_type != 0 + +- name: "disable mrtunnat on slave" + systemd: + name: mrtunnat + enabled: no + daemon_reload: yes + when: nic_traffic_mirror is defined + +- name: "copy memory limit file to tfe.service.d" + copy: + src: "{{ role_path }}/files/memory.conf" + dest: /etc/systemd/system/mrzcpd.service.d/ + mode: 0644 + +- name: "mask mrzcpd on server_tun_mode" + systemd: + name: mrzcpd + enabled: no + masked: yes + daemon_reload: yes + when: + - tsg_access_type == 0 + +- name: "mask mrtunnat on server_tun_mode" + systemd: + name: mrtunnat + enabled: no + masked: yes + daemon_reload: yes + when: + - tsg_access_type == 0 diff --git a/roles/mrzcpd/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2 b/roles/mrzcpd/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2 new file mode 100644 index 0000000..8362c26 --- /dev/null +++ b/roles/mrzcpd/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2 @@ -0,0 +1,57 @@ +[device] +device={{ATCA_data_incoming.vf0_name}},{{ ATCA_data_incoming.vf1_name }},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=32 + +[device:{{ATCA_data_incoming.vf0_name}}] +mtu=4096 +clear_tx_flags=1 +hw_strip_crc=1 +in_addr={{ ATCA_VXLAN.keepalive_ip }} +in_mask={{ ATCA_VXLAN.keepalive_mask }} +#rssmode=3 + +[device:{{ ATCA_data_incoming.vf1_name }}] +mtu=4096 +clear_tx_flags=1 +vlan-filter=1 +vlan-strip=1 +vlan-id-allow=4095 +vlan-pvid=0 +vlan-pvid-mode=2 +hw_strip_crc=1 +sz_tunnel=8192 +sz_buffer=0 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=1 +hashmode=0 +idle_threshold=10000 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=6 +forward_rule_0=pv,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}} +forward_rule_1=vp,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }} +forward_rule_5=vp,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }} diff --git a/roles/mrzcpd/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2 b/roles/mrzcpd/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2 new file mode 100644 index 0000000..7256276 --- /dev/null +++ b/roles/mrzcpd/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2 @@ -0,0 +1,20 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{ATCA_data_incoming.vf0_name}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_link_info_table=1 +use_tuple4_as_sskey=0 +ctrlzone_addr_info_type=2 +idle_threshold=10000 + +[vlan_flipping] +enable=0 +c_router_vlan_id_0=1000 +i_router_vlan_id_0=1001 +en_mac_flipping_0=0 diff --git a/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2 b/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2 new file mode 100644 index 0000000..ef27407 --- /dev/null +++ b/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2 @@ -0,0 +1,60 @@ +[device] +device={{ATCA_data_incoming.vf0_name}},{{ ATCA_data_incoming.vf1_name }},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=32 + +[device:{{ATCA_data_incoming.vf0_name}}] +mtu=4096 +clear_tx_flags=1 +vlan-filter=1 +vlan-strip=1 +vlan-id-allow={{ ATCA_VlanFlipping.vlanID_1 }},{{ ATCA_VlanFlipping.vlanID_2 }},{{ ATCA_VlanFlipping.vlanID_3 }},{{ ATCA_VlanFlipping.vlanID_4 }} +vlan-pvid=0 +vlan-pvid-mode=2 +hw_strip_crc=1 +#rssmode=3 + +[device:{{ ATCA_data_incoming.vf1_name }}] +mtu=4096 +clear_tx_flags=1 +vlan-filter=1 +vlan-strip=1 +vlan-id-allow=4095 +vlan-pvid=0 +vlan-pvid-mode=2 +hw_strip_crc=1 +sz_tunnel=8192 +sz_buffer=0 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=1 +hashmode=0 +idle_threshold=10000 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=6 +forward_rule_0=pv,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}} +forward_rule_1=vp,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }} +forward_rule_5=vp,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }} diff --git a/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2 b/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2 new file mode 100644 index 0000000..ba065db --- /dev/null +++ b/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2 @@ -0,0 +1,23 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{ATCA_data_incoming.vf0_name}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_link_info_table=1 +use_tuple4_as_sskey=0 +ctrlzone_addr_info_type=2 +idle_threshold=10000 + +[vlan_flipping] +enable=1 +c_router_vlan_id_0={{ ATCA_VlanFlipping.vlanID_1 }} +i_router_vlan_id_0={{ ATCA_VlanFlipping.vlanID_2 }} +en_mac_flipping_0=0 +c_router_vlan_id_1={{ ATCA_VlanFlipping.vlanID_3 }} +i_router_vlan_id_1={{ ATCA_VlanFlipping.vlanID_4 }} +en_mac_flipping_1=0 diff --git a/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 b/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 new file mode 100644 index 0000000..af31df6 --- /dev/null +++ b/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 @@ -0,0 +1,67 @@ +[device] +device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=0 + +[device:{{nic_data_incoming.name}}] +in_addr={{inline_device_config.keepalive_ip}} +in_mask={{inline_device_config.keepalive_mask}} +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +vlan-filter=1 +vlan-id-allow=1000,1001,4000,4001 + +[device:{{nic_to_tfe.tfe0.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:{{nic_to_tfe.tfe1.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:{{nic_to_tfe.tfe2.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=2 +hashmode=0 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=10 +forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}} +forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}} +forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}} +forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}} +forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}} +forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}} +forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}} diff --git a/roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2 b/roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2 new file mode 100644 index 0000000..e690909 --- /dev/null +++ b/roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2 @@ -0,0 +1,21 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{nic_data_incoming.name}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_tuple4_as_sskey=1 +ctrlzone_addr_info_type=2 + +[vlan_flipping] +enable=1 +c_router_vlan_id_0=1000 +i_router_vlan_id_0=1001 +en_mac_flipping_0=0 +c_router_vlan_id_1=4000 +i_router_vlan_id_1=4001 +en_mac_flipping_1=0 diff --git a/roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2 b/roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2 new file mode 100644 index 0000000..f4a56cc --- /dev/null +++ b/roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2 @@ -0,0 +1,68 @@ +[device] +device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=0 + +[device:{{nic_data_incoming.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +vlan-filter=1 +vlan-id-allow=1000,1001,2000,2001,4000,4001 +vlan-pvid=0 +vlan-pvid-mode=2 +promisc=1 + +[device:{{nic_to_tfe.tfe0.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:{{nic_to_tfe.tfe1.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:{{nic_to_tfe.tfe2.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=2 +hashmode=0 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=10 +forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}} +forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}} +forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}} +forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}} +forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}} +forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}} +forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}} diff --git a/roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2 b/roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2 new file mode 100644 index 0000000..19a709a --- /dev/null +++ b/roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2 @@ -0,0 +1,24 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{nic_data_incoming.name}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_tuple4_as_sskey=1 +ctrlzone_addr_info_type=2 + +[vlan_flipping] +enable=1 +c_router_vlan_id_0=1000 +i_router_vlan_id_0=1001 +en_mac_flipping_0=0 +c_router_vlan_id_1=2000 +i_router_vlan_id_1=2001 +en_mac_flipping_1=0 +c_router_vlan_id_2=4000 +i_router_vlan_id_2=4001 +en_mac_flipping_2=0 diff --git a/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 b/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 new file mode 100644 index 0000000..8b0fd7f --- /dev/null +++ b/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 @@ -0,0 +1,69 @@ +[device] +device=ens1f4,ens1f5,ens1f6,ens1f7,vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=0 + +[device:ens1f4] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +vlan-filter=1 +vlan-id-allow={{ AllotAccess.virturlID_1 }},{{ AllotAccess.virturlID_2 }},4000,4001,1000,1001 +vlan-pvid=0 +vlan-pvid-mode=2 +promisc=1 + +[device:ens1f5] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:ens1f6] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:ens1f7] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=2 +hashmode=0 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=10 +forward_rule_0=pv,ens1f4,ens1f4 +forward_rule_1=vp,ens1f4,ens1f4 +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,ens1f5,ens1f5 +forward_rule_5=vp,ens1f5,ens1f5 +forward_rule_6=pv,ens1f6,ens1f6 +forward_rule_7=vp,ens1f6,ens1f6 +forward_rule_8=pv,ens1f7,ens1f7 +forward_rule_9=vp,ens1f7,ens1f7 + diff --git a/roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2 b/roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2 new file mode 100644 index 0000000..d3afbbb --- /dev/null +++ b/roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2 @@ -0,0 +1,25 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev=ens1f4 +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_tuple4_as_sskey=1 +ctrlzone_addr_info_type=2 + +[vlan_flipping] +enable=1 +c_router_vlan_id_0={{ AllotAccess.virturlID_1 }} +i_router_vlan_id_0={{ AllotAccess.virturlID_2 }} +en_mac_flipping_0=1 +c_router_vlan_id_1=1000 +i_router_vlan_id_1=1001 +en_mac_flipping_1=0 +c_router_vlan_id_2=4000 +i_router_vlan_id_2=4001 +en_mac_flipping_2=0 + diff --git a/roles/mrzcpd/templates/mrapp.sapp4.conf b/roles/mrzcpd/templates/mrapp.sapp4.conf new file mode 100644 index 0000000..797f704 --- /dev/null +++ b/roles/mrzcpd/templates/mrapp.sapp4.conf @@ -0,0 +1,2 @@ +[bpfdump:vxlan_user] +enable=1 diff --git a/roles/mrzcpd/templates/mrzcpd.j2 b/roles/mrzcpd/templates/mrzcpd.j2 new file mode 100644 index 0000000..ef7fc2f --- /dev/null +++ b/roles/mrzcpd/templates/mrzcpd.j2 @@ -0,0 +1,3 @@ +MRZCPD_ROOT=/opt/mrzcpd +HUGEPAGE_NUM_2M=16384 +DEFAULT_UIO_MODULE="igb_uio" \ No newline at end of file diff --git a/roles/mrzcpd/templates/server_inline/mrglobal.conf.server_inline.j2 b/roles/mrzcpd/templates/server_inline/mrglobal.conf.server_inline.j2 new file mode 100644 index 0000000..e19e383 --- /dev/null +++ b/roles/mrzcpd/templates/server_inline/mrglobal.conf.server_inline.j2 @@ -0,0 +1,47 @@ +[device] +device={{inline_device_config.data_incoming}},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=0 + +[device:{{inline_device_config.data_incoming}}] +in_addr={{inline_device_config.keepalive_ip}} +in_mask={{inline_device_config.keepalive_mask}} +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 + +#[device:] +#jumbo_frame=1 +#max_rx_pkt_len=15360 +#clear_tx_flags=1 +#promisc=1 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=2 +hashmode=0 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=4 +forward_rule_0=pv,{{inline_device_config.data_incoming}},{{inline_device_config.data_incoming}} +forward_rule_1=vp,{{inline_device_config.data_incoming}},{{inline_device_config.data_incoming}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd diff --git a/roles/mrzcpd/templates/server_inline/mrtunnat.conf.server_inline.j2 b/roles/mrzcpd/templates/server_inline/mrtunnat.conf.server_inline.j2 new file mode 100644 index 0000000..8062df4 --- /dev/null +++ b/roles/mrzcpd/templates/server_inline/mrtunnat.conf.server_inline.j2 @@ -0,0 +1,18 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{inline_device_config.data_incoming}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_tuple4_as_sskey=1 +ctrlzone_addr_info_type=2 + +[vlan_flipping] +enable=0 +c_router_vlan_id_0=1000 +i_router_vlan_id_0=1001 +en_mac_flipping_0=0 diff --git a/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 b/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 new file mode 100644 index 0000000..7fa9f39 --- /dev/null +++ b/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 @@ -0,0 +1,27 @@ +[device] +device={{nic_traffic_mirror.name}} +sz_tunnel=8192 +sz_buffer=0 + +[device:{{nic_traffic_mirror.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[service] +iocore={{ mrzcpd.iocore }} + +[eal] +virtaddr=0x7d0000000000 +loglevel=7 + +[keepalive] +check_spinlock=1 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 diff --git a/roles/packet_dump/files/packet_dump-1.0.4.82e85d1-2.el7.x86_64.rpm b/roles/packet_dump/files/packet_dump-1.0.4.82e85d1-2.el7.x86_64.rpm new file mode 100644 index 0000000..b84172a Binary files /dev/null and b/roles/packet_dump/files/packet_dump-1.0.4.82e85d1-2.el7.x86_64.rpm differ diff --git a/roles/packet_dump/files/packet_dump.service b/roles/packet_dump/files/packet_dump.service new file mode 100644 index 0000000..48f176d --- /dev/null +++ b/roles/packet_dump/files/packet_dump.service @@ -0,0 +1,19 @@ +[Unit] +Description=packet dump service +After=After=network.target + +[Service] +Type=fork +WorkingDirectory=/home/mesasoft/packet_dump +ExecStart=/home/mesasoft/packet_dump/packet_dump +TimeoutSec=60s +RestartSec=10s +Restart=always +LimitNOFILE=524288 +LimitNPROC=infinity +LimitCORE=infinity +TasksMax=infinity +Delegate=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/packet_dump/tasks/main.yml b/roles/packet_dump/tasks/main.yml new file mode 100644 index 0000000..ddb0ad4 --- /dev/null +++ b/roles/packet_dump/tasks/main.yml @@ -0,0 +1,28 @@ +- name: "copy packet_dump rpm to destination server" + copy: + src: "{{ role_path }}/files/packet_dump-1.0.4.82e85d1-2.el7.x86_64.rpm" + dest: /tmp/ansible_deploy/ + +- name: "copy packet_dump.service to destination server" + copy: + src: "{{ role_path }}/files/packet_dump.service" + dest: /usr/lib/systemd/system + mode: 0755 + +- name: "install packet_dump rpm from localhost" + yum: + name: + - /tmp/ansible_deploy/packet_dump-1.0.4.82e85d1-2.el7.x86_64.rpm + state: present + +- name: "Template the packet_dump.conf" + template: + src: "{{ role_path }}/templates/packet_dump.conf.j2" + dest: /home/mesasoft/packet_dump/conf/packet_dump.conf + tags: template + +- name: "start packet_dump" + systemd: + name: packet_dump.service + enabled: yes + daemon_reload: yes diff --git a/roles/packet_dump/templates/packet_dump.conf.j2 b/roles/packet_dump/templates/packet_dump.conf.j2 new file mode 100644 index 0000000..da794a6 --- /dev/null +++ b/roles/packet_dump/templates/packet_dump.conf.j2 @@ -0,0 +1,14 @@ +[KAFKA] +BROKER_LIST={{ log_kafkabrokers.address }} + +[SYSTEM] +NIC_NAME={{ nic_mgr.name }} +LOG_LEVEL={{ packet_dump_log_level }} +LOG_PATH=log/packet_dump + +[breakpad] +disable_coredump=0 +enable_breakpad=1 +breakpad_minidump_dir=/tmp/packet_dump/crashreport +enable_breakpad_upload=0 +breakpad_upload_url={{ breakpad_upload_url }} diff --git a/roles/proxy_status/files/proxy-status.service b/roles/proxy_status/files/proxy-status.service new file mode 100644 index 0000000..db954dd --- /dev/null +++ b/roles/proxy_status/files/proxy-status.service @@ -0,0 +1,11 @@ +[Unit] +Description=proxy status + +[Service] +ExecStart=/opt/proxy_status/proxy_start +ExecStop=/opt/proxy_status/proxy_stop +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/proxy_status/files/proxy_start b/roles/proxy_status/files/proxy_start new file mode 100644 index 0000000..46597e2 --- /dev/null +++ b/roles/proxy_status/files/proxy_start @@ -0,0 +1,12 @@ +#!/bin/bash +# + +systemctl start tsg-env-tun-mode.service &>/dev/null & +sleep 2 +systemctl start sapp.service &>/dev/null & +sleep 5 +systemctl start tfe-env.service &>/dev/null & +sleep 5 +systemctl start tfe.service &>/dev/null & +systemctl start certstore.service &>/dev/null & +systemctl start cert-redis.service &>/dev/null & diff --git a/roles/proxy_status/files/proxy_status b/roles/proxy_status/files/proxy_status new file mode 100644 index 0000000..b124225 --- /dev/null +++ b/roles/proxy_status/files/proxy_status @@ -0,0 +1,65 @@ +#!/bin/bash +# + +systemctl status tsg-env-tun-mode &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m tsg-env-tun-mode is running \033[0m" +else + echo -e "\033[31m tsg-env-tun-mode is down \033[0m" +fi + +systemctl status mrzcpd &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m mrzcpd is running \033[0m" +else + echo -e "\033[31m mrzcpd is down \033[0m" +fi + +systemctl status mrenv &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m mrenv is running \033[0m" +else + echo -e "\033[31m mrenv is down \033[0m" +fi + +systemctl status mrtunnat &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m mrtunnat is running \033[0m" +else + echo -e "\033[31m mrtunnat is down \033[0m" +fi + +systemctl status sapp &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m sapp is running \033[0m" +else + echo -e "\033[31m sapp is down \033[0m" +fi + +systemctl status tfe-env &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m tfe-env is running \033[0m" +else + echo -e "\033[31m tfe-env is down \033[0m" +fi + +systemctl status tfe &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m tfe is running \033[0m" +else + echo -e "\033[31m tfe is down \033[0m" +fi + +systemctl status certstore &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m certstore is running \033[0m" +else + echo -e "\033[31m certstore is down \033[0m" +fi + +systemctl status cert-redis &>/dev/null +if [ $? -eq 0 ];then + echo -e "\033[32m cert-redis is running \033[0m" +else + echo -e "\033[31m cert-redis is down \033[0m" +fi diff --git a/roles/proxy_status/files/proxy_stop b/roles/proxy_status/files/proxy_stop new file mode 100644 index 0000000..a5e9a63 --- /dev/null +++ b/roles/proxy_status/files/proxy_stop @@ -0,0 +1,12 @@ +#!/bin/bash +# + +systemctl stop tsg-env-tun-mode.service &>/dev/null & +systemctl stop mrzcpd.service &>/dev/null & +systemctl stop mrtunnat.service &>/dev/null & +systemctl stop sapp.service &>/dev/null & +systemctl stop tfe-env.service &>/dev/null & +systemctl stop tfe.service &>/dev/null & +systemctl stop certstore.service &>/dev/null & +systemctl stop cert-redis.service &>/dev/null & + diff --git a/roles/proxy_status/tasks/main.yml b/roles/proxy_status/tasks/main.yml new file mode 100644 index 0000000..f8fe34e --- /dev/null +++ b/roles/proxy_status/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: "create /opt/proxy_status" + file: + path: /opt/proxy_status + state: directory + +- name: "copy files" + copy: + src: "{{ role_path }}/files/" + dest: /opt/proxy_status + mode: 0755 + +- name: "copy proxy-status.service" + copy: + src: "{{ role_path }}/files/proxy-status.service" + dest: "/usr/lib/systemd/system/" + mode: 0644 + +- name: "enable proxy-status" + systemd: + name: proxy-status + enabled: yes + daemon_reload: yes + diff --git a/roles/radius/files/ntc_radius_plug-1.0.1.57ab95a-2.el7.x86_64.rpm b/roles/radius/files/ntc_radius_plug-1.0.1.57ab95a-2.el7.x86_64.rpm new file mode 100644 index 0000000..36c4111 Binary files /dev/null and b/roles/radius/files/ntc_radius_plug-1.0.1.57ab95a-2.el7.x86_64.rpm differ diff --git a/roles/radius/files/radius-1.0.2.7bddf74-2.el7.x86_64.rpm b/roles/radius/files/radius-1.0.2.7bddf74-2.el7.x86_64.rpm new file mode 100644 index 0000000..18053a2 Binary files /dev/null and b/roles/radius/files/radius-1.0.2.7bddf74-2.el7.x86_64.rpm differ diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml new file mode 100644 index 0000000..45abf13 --- /dev/null +++ b/roles/radius/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: "copy radius rpms to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install firewall packages" + yum: + name: "{{ radius_packages }}" + state: present + skip_broken: yes + vars: + radius_packages: + - /tmp/ansible_deploy/radius-1.0.2.7bddf74-2.el7.x86_64.rpm + - /tmp/ansible_deploy/ntc_radius_plug-1.0.1.57ab95a-2.el7.x86_64.rpm + + +- name: "Template the conf/radius/radius.conf" + template: + src: "{{ role_path }}/templates/radius.conf.j2" + dest: /home/mesasoft/sapp_run/conf/radius/radius.conf + tags: template + diff --git a/roles/radius/templates/radius.conf b/roles/radius/templates/radius.conf new file mode 100644 index 0000000..aac6bec --- /dev/null +++ b/roles/radius/templates/radius.conf @@ -0,0 +1,14 @@ +[RADIUS_PLUG] +DEVICE_ID=0 +BROKERLIST={{ log_kafkabrokers.address }} +COLLECT_TOPIC=RADIUS-RECORD-LOG +SERVICE_ID=162 +NIC_NAME={{ nic_mgr.name }} +LOG_PATH=./log/ntc_radius_plug/ntc_radius_plug +LOG_LEVEL=10 +[CONFIG] +LOG_PATH=./log/radius/radius +FS_SERVER_IP=127.0.0.1 +FS_SERVER_PORT=8125 +STAT_CYCLE=30 +LOG_LEVEL={{ tsg_log_level }} diff --git a/roles/reboot/tasks/main.yml b/roles/reboot/tasks/main.yml new file mode 100644 index 0000000..ea44f39 --- /dev/null +++ b/roles/reboot/tasks/main.yml @@ -0,0 +1,3 @@ +- name: "reboot" + reboot: + when: Deploy_finished_reboot == 1 diff --git a/roles/sapp/files/maat_redis_tool b/roles/sapp/files/maat_redis_tool new file mode 100644 index 0000000..9e797bb Binary files /dev/null and b/roles/sapp/files/maat_redis_tool differ diff --git a/roles/sapp/files/memory.conf b/roles/sapp/files/memory.conf new file mode 100644 index 0000000..5de1253 --- /dev/null +++ b/roles/sapp/files/memory.conf @@ -0,0 +1,2 @@ +[Service] +MemoryMax=100G \ No newline at end of file diff --git a/roles/sapp/files/sapp-4.1.12.b8f6ea4-2.el7.x86_64.rpm b/roles/sapp/files/sapp-4.1.12.b8f6ea4-2.el7.x86_64.rpm new file mode 100644 index 0000000..67a2b02 Binary files /dev/null and b/roles/sapp/files/sapp-4.1.12.b8f6ea4-2.el7.x86_64.rpm differ diff --git a/roles/sapp/files/sapp-4.1.13.ed89137-2.el7.x86_64.rpm b/roles/sapp/files/sapp-4.1.13.ed89137-2.el7.x86_64.rpm new file mode 100644 index 0000000..078dd04 Binary files /dev/null and b/roles/sapp/files/sapp-4.1.13.ed89137-2.el7.x86_64.rpm differ diff --git a/roles/sapp/tasks/main.yml b/roles/sapp/tasks/main.yml new file mode 100644 index 0000000..d78c1ac --- /dev/null +++ b/roles/sapp/tasks/main.yml @@ -0,0 +1,60 @@ +--- +- name: "copy sapp to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "copy maat_redis_tool to destination server" + copy: + src: "{{ role_path }}/files/maat_redis_tool" + dest: /usr/local/bin + mode: 0755 + +- name: "install sapp rpms from localhost" + yum: + name: + - /tmp/ansible_deploy/sapp-4.1.13.ed89137-2.el7.x86_64.rpm + state: present + skip_broken: yes + +- name: "mkdir tsgconf" + file: + path: /home/mesasoft/sapp_run/tsgconf + state: directory + +- name: Template the sapp.toml + template: + src: "{{ role_path }}/templates/sapp.toml.j2" + dest: /home/mesasoft/sapp_run/etc/sapp.toml + tags: template + +- name: Template the project_list.conf + template: + src: "{{ role_path }}/templates/project_list.conf.j2" + dest: /home/mesasoft/sapp_run/etc/project_list.conf + tags: template + +- name: Template the conflist.inf + template: + src: "{{ role_path }}/templates/conflist.inf.j2" + dest: /home/mesasoft/sapp_run/plug/conflist.inf + tags: template + +- name: Template the gdev.conf + template: + src: "{{ role_path }}/templates/gdev.conf.j2" + dest: /home/mesasoft/sapp_run/etc/gdev.conf + when: tsg_access_type == 1 + + +- name: "Template sapp.service destination server" + template: + src: "{{ role_path }}/templates/sapp.service.j2" + dest: /usr/lib/systemd/system/sapp.service + mode: 0755 + +- name: "enable sapp" + systemd: + name: sapp + enabled: yes + daemon_reload: yes diff --git a/roles/sapp/templates/conflist.inf.j2 b/roles/sapp/templates/conflist.inf.j2 new file mode 100644 index 0000000..aed719b --- /dev/null +++ b/roles/sapp/templates/conflist.inf.j2 @@ -0,0 +1,40 @@ +[platform] +{% if tsg_access_type == 1 %} +./plug/platform/g_device_plug/g_device_plug.inf +#./plug/platform/http_healthcheck/http_healthcheck.inf +{% elif tsg_access_type == 2 %} +#./plug/platform/g_device_plug/g_device_plug.inf +./plug/platform/http_healthcheck/http_healthcheck.inf +{% else %} +#./plug/platform/g_device_plug/g_device_plug.inf +#./plug/platform/http_healthcheck/http_healthcheck.inf +{% endif %} +./plug/platform/tsg_master/tsg_master.inf +{% if tsg_app_enable == 1 %} +./plug/platform/app_proto_identify/app_proto_identify.inf +./plug/platform/app_master/app_master.inf +{% endif %} + +[protocol] +./plug/protocol/ssl/ssl.inf +./plug/protocol/http/http.inf +./plug/protocol/dns/dns.inf +./plug/protocol/mail/mail.inf +./plug/protocol/ftp/ftp.inf +./plug/protocol/quic/quic.inf + +[business] +./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf +./plug/business/capture_packet_plug/capture_packet_plug.inf +./plug/business/kni/kni.inf +./plug/business/fw_ssl_plug/fw_ssl_plug.inf +./plug/business/fw_http_plug/fw_http_plug.inf +./plug/business/fw_dns_plug/fw_dns_plug.inf +./plug/business/fw_mail_plug/fw_mail_plug.inf +./plug/business/fw_ftp_plug/fw_ftp_plug.inf +./plug/business/fw_quic_plug/fw_quic_plug.inf +./plug/business/conn_telemetry/conn_telemetry.inf +{% if tsg_app_enable == 1 %} +./plug/business/app_sketch_local/app_sketch_local.inf +./plug/business/app_control_plug/app_control_plug.inf +{% endif %} diff --git a/roles/sapp/templates/gdev.conf.j2 b/roles/sapp/templates/gdev.conf.j2 new file mode 100644 index 0000000..b47bc38 --- /dev/null +++ b/roles/sapp/templates/gdev.conf.j2 @@ -0,0 +1,11 @@ +[Module] +{% if tsg_running_type == 2 %} +pcapdevice={{ nic_data_incoming.name }} +sendto_gdev_card={{ nic_data_incoming.name }} +sendto_gdev_ip={{ inline_device_config.keepalive_ip }} +{% else %} +pcapdevice={{ inline_device_config.data_incoming }} +sendto_gdev_card={{ inline_device_config.data_incoming }} +sendto_gdev_ip={{ inline_device_config.keepalive_ip }} +{% endif %} +gdev_status_switch=1 diff --git a/roles/sapp/templates/project_list.conf.j2 b/roles/sapp/templates/project_list.conf.j2 new file mode 100644 index 0000000..c811132 --- /dev/null +++ b/roles/sapp/templates/project_list.conf.j2 @@ -0,0 +1,20 @@ +tcp_flow_stat struct +udp_flow_stat struct +tcp_deduce_flow_stat struct +POLICY_PRIORITY struct +ESTABLISH_LATENCY long +MAIL_IDENTIFY int +TSG_MASTER_INTERNAL_LABEL struct +APP_ID_LABEL struct +BASIC_PROTO_LABEL struct +USER_DEFINED_ATTRIBUTE struct +SKETCH_TRANS_LAYER_CTX_LABEL struct +SKETCH_PROTO_CTX_LABEL struct +common_link_info_c2s struct +common_link_info_s2c struct +common_link_info struct +JA3_FINGERPRINT_LABEL struct +DKPT_PRO_V2 struct +DPKT_PROJECT_V2 struct +PPROJECT_PRO_V2 struct +DPKT_BHSTAT_PROJECT struct diff --git a/roles/sapp/templates/sapp.service.j2 b/roles/sapp/templates/sapp.service.j2 new file mode 100644 index 0000000..e69b5fd --- /dev/null +++ b/roles/sapp/templates/sapp.service.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=sapp service +{% if tsg_running_type != 0 %} +Requires=mrzcpd.service +After=mrzcpd.service +{% endif %} +[Service] +WorkingDirectory=/home/mesasoft/sapp_run +ExecStart=/home/mesasoft/sapp_run/sapp +Restart=always +RestartSec=5s +[Install] +WantedBy=multi-user.target diff --git a/roles/sapp/templates/sapp.toml.j2 b/roles/sapp/templates/sapp.toml.j2 new file mode 100644 index 0000000..80cd9f3 --- /dev/null +++ b/roles/sapp/templates/sapp.toml.j2 @@ -0,0 +1,150 @@ +################################################################################################### +# NOTE: +# The format of this file is toml (https://github.com/cktan/tomlc99) +# to make vim editor display colorful and human readable, +# you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini +################################################################################################### + +[SYSTEM] +instance_name = "sapp4" + +[CPU] +{% if tsg_access_type == 0 %} +worker_threads=1 +{% else %} +worker_threads={{ sapp.worker_threads }} +{% endif %} +send_only_threads_max={{ sapp.send_only_threads_max }} +### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as [] +{% if tsg_access_type == 0 %} +bind_mask=[] +{% else %} +bind_mask=[{{ sapp.bind_mask }}] +{% endif %} + +[PACKET_IO] +{% if tsg_access_type == 4 %} +### note, used to represent inbound or outbound direction value, +##### because it comes from other device, so it needs to be specified manually, +##### if inbound_route_dir=1, then outbound_route_dir=0, vice versa, +##### in other words, outbound_route_dir = 1 ^ inbound_route_dir; +inbound_route_dir={{ sapp.inbound_route_dir }} +{% endif %} +### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as "" +BSD_packet_filter="" + +### note, depolyment.mode options: [mirror, inline, transparent] + [packet_io.depolyment] + {% if tsg_access_type == 0 %} + mode=transparent + {% else %} + mode=inline + {% endif %} + +### note, interface.type options: [pag,pcap,marsio] + [packet_io.internal.interface] + {% if tsg_access_type == 0 %} + type=pcap + name={{packet_io.internal_interface}} + {% else %} + type=marsio + name=vxlan_user + {% endif %} + + [packet_io.external.interface] + {% if tsg_access_type == 0 %} + type=pcap + name={{packet_io.external_interface}} + {% else %} + type=pcap + name=lo + {% endif %} + + [packet_io.polling] +### note, polling_priority = call sapp_recv_pkt every call polling_entry times, + polling_priority=1 + +[STREAM] + [stream.tcp] + max=200000 + timeout=30 + syn_mandatory=1 + reorder_pkt_max=5 + analyse_option_enabled=1 + [stream.tcp.inject] + link_mss=1460 + + [stream.tcp.inject.rst] + number=3 + signature_enabled=1 + signature_seed1=65535 + signature_seed2=13 + + [stream.udp] + max=10000 + timeout=60 + +[PROFILING] + [profiling.pkt_latency] + enabled=0 +### note, threshold unit is microseconds (us) + threshold=1000000 + + [profiling.sanity_check] + raw_pkt_broken_enabled=0 + symbol_conflict_enabled=0 + + [profiling.log] + level=20 + interval=5 + + [profiling.log.local] + enabled=1 +### note, if "file_truncate_open_enabled=1", file will be truncated, otherwise open the file for appending. + file_truncate_enabled = 1 + log_file_name = "fs2_sysinfo.log" + log_conf_name = "etc/sapp_log.conf" + [profiling.log.remote] + enabled=1 + server_ip=127.0.0.1 + server_port=8100 + + [profiling.log.remote.field_stat2] +### note, is valid when "remote_send_out_type=field_stat2" +### note, metric_type option value: [default, json] + metric_type = default + app_name=sapp + +[TOOLS] + [tools.pkt_dump] + enabled=0 +### note, mode options value:[storage, udp_socket] + mode=udp_socket + BSD_packet_filter="" + + [tools.pkt_dump.threads] +### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted. +### if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index. + all_threads_enabled=1 + +### note, dump_thread_id start from 0, max is CPU.worker_threads-1 + dump_thread_id=[0,1,2,3,4] + + [tools.pkt_dump.udp] + command_port=12345 + + [tools.pkt_dump.storage] +### note, file path must be double quotation mark extension, for example, path="/dev/shm/pkt_dump" + path="/dev/shm/pkt_dump" +### note, file size unit: MB + file_size_max_per_thread=10000 + +### note: +### These configurations format is complex and difficult to describe with toml grammar, +### so, create a Independent config file to description specific information. +[SPECIAL_CONFIG_LINK] + project_list_path="./etc/project_list.conf" + plugin_path="./etc/plugin.conf" + entrylist_path="./etc/entrylist.conf" + send_raw_pkt_path="./etc/send_raw_pkt.conf" + vxlan_sport_service_map_path="./etc/vxlan_sport_service_map.conf" diff --git a/roles/telegraf_collect/files/telegraf-1.13.0-1.x86_64.rpm b/roles/telegraf_collect/files/telegraf-1.13.0-1.x86_64.rpm new file mode 100644 index 0000000..0bb3681 Binary files /dev/null and b/roles/telegraf_collect/files/telegraf-1.13.0-1.x86_64.rpm differ diff --git a/roles/telegraf_collect/files/telegraf_collect.service b/roles/telegraf_collect/files/telegraf_collect.service new file mode 100644 index 0000000..4ba8704 --- /dev/null +++ b/roles/telegraf_collect/files/telegraf_collect.service @@ -0,0 +1,16 @@ +[Unit] +Description=Statistic information +Documentation=https://github.com/influxdata/telegraf +After=network.target + +[Service] +EnvironmentFile=-/etc/default/telegraf +User=telegraf +ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf_collect.conf -config-directory /etc/telegraf/telegraf_collect.d $TELEGRAF_OPTS +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +RestartForceExitStatus=SIGPIPE +KillMode=control-group + +[Install] +WantedBy=multi-user.target diff --git a/roles/telegraf_collect/tasks/main.yml b/roles/telegraf_collect/tasks/main.yml new file mode 100644 index 0000000..f726f62 --- /dev/null +++ b/roles/telegraf_collect/tasks/main.yml @@ -0,0 +1,29 @@ +- name: "copy telegraf.rpm to destination server" + copy: + src: "{{ role_path }}/files/telegraf-1.13.0-1.x86_64.rpm" + dest: /tmp + +- name: "install telegraf" + yum: + name: + - /tmp/telegraf-1.13.0-1.x86_64.rpm + state: present + +- name: "Templates telegraf_collect.conf" + template: + src: "{{role_path}}/templates/telegraf_collect.conf.j2" + dest: /etc/telegraf/telegraf_collect.conf + tags: template + +- name: "copy telegraf_collect.service to destination server" + copy: + src: "{{ role_path }}/files/telegraf_collect.service" + dest: /usr/lib/systemd/system + mode: 0644 + +- name: "Start telegraf_collect" + systemd: + name: telegraf_collect + state: started + enabled: yes + daemon_reload: yes diff --git a/roles/telegraf_collect/templates/telegraf_collect.conf.j2 b/roles/telegraf_collect/templates/telegraf_collect.conf.j2 new file mode 100644 index 0000000..2574a73 --- /dev/null +++ b/roles/telegraf_collect/templates/telegraf_collect.conf.j2 @@ -0,0 +1,73 @@ +[global_tags] + blade = "{{bladename}}" +[agent] + interval = "5s" + round_interval = true + metric_batch_size = 1000000 + metric_buffer_limit = 1000000 + collection_jitter = "0s" + flush_interval = "1s" + flush_jitter = "0s" + precision = "" + debug = false + quiet = false + logfile = "" + hostname = "" + omit_hostname = false + +[[outputs.file]] + files = ["stdout", "/tmp/collect.out"] + data_format = "json" + rotation_interval = "1h" + rotation_max_size = "100MB" + rotation_max_archives = 5 + +[[outputs.socket_writer]] + address = "udp://192.168.100.1:8100" + + +{% if bladename == "mcn0" %} +[[inputs.procstat]] + exe= "sapp" +[[inputs.procstat]] + exe="certstore" +{% else %} +[[inputs.procstat]] + exe= "tfe" +{% endif %} + +[[inputs.systemd_units]] + unittype = "service" + timeout = "1s" + +[[inputs.cpu]] + percpu = false + totalcpu = true + collect_cpu_time = false + report_active = false + fieldpass = ["usage_idle", "usage_iowait", "usage_system", "usage_user"] + +[[inputs.system]] + fieldpass = ["load1", "load5", "load15"] + +[[inputs.mem]] + fieldpass = ["available"] + +[[inputs.disk]] + fieldpass = ["free", "inodes_free", "used_percent"] + ignore_fs = ["tmpfs", "devtmpfs", "devfs", "overlay", "aufs", "squashfs"] + +[[inputs.diskio]] + fieldpass = ["read_bytes", "write_bytes", "reads","writes"] + +[[inputs.netstat]] + +[[inputs.net]] + ignore_protocol_stats = false + interfaces = ["ens*"] + +[[inputs.kernel]] + +[[inputs.udp_listener]] + ServiceAddress= ":58100" + data_format = "influx" \ No newline at end of file diff --git a/roles/telegraf_statistic/files/telegraf-1.13.0-1.x86_64.rpm b/roles/telegraf_statistic/files/telegraf-1.13.0-1.x86_64.rpm new file mode 100644 index 0000000..0bb3681 Binary files /dev/null and b/roles/telegraf_statistic/files/telegraf-1.13.0-1.x86_64.rpm differ diff --git a/roles/telegraf_statistic/files/telegraf_statistic.service b/roles/telegraf_statistic/files/telegraf_statistic.service new file mode 100644 index 0000000..78d31cb --- /dev/null +++ b/roles/telegraf_statistic/files/telegraf_statistic.service @@ -0,0 +1,16 @@ +[Unit] +Description=Statistic information +Documentation=https://github.com/influxdata/telegraf +After=network.target + +[Service] +EnvironmentFile=-/etc/default/telegraf +User=telegraf +ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf_statistic.conf -config-directory /etc/telegraf/telegraf_statistic.d $TELEGRAF_OPTS +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +RestartForceExitStatus=SIGPIPE +KillMode=control-group + +[Install] +WantedBy=multi-user.target diff --git a/roles/telegraf_statistic/tasks/main.yml b/roles/telegraf_statistic/tasks/main.yml new file mode 100644 index 0000000..fa8a921 --- /dev/null +++ b/roles/telegraf_statistic/tasks/main.yml @@ -0,0 +1,29 @@ +- name: "copy telegraf.rpm to destination server" + copy: + src: "{{ role_path }}/files/telegraf-1.13.0-1.x86_64.rpm" + dest: /tmp + +- name: "install telegraf" + yum: + name: + - /tmp/telegraf-1.13.0-1.x86_64.rpm + state: present + +- name: "Templates telegraf.conf" + template: + src: "{{role_path}}/templates/telegraf_statistic.conf.j2" + dest: /etc/telegraf/telegraf_statistic.conf + tags: template + +- name: "copy telegraf_statistic.service to destination server" + copy: + src: "{{ role_path }}/files/telegraf_statistic.service" + dest: /usr/lib/systemd/system + mode: 0644 + +- name: "Start telegraf" + systemd: + name: telegraf_statistic.service + state: started + enabled: yes + daemon_reload: yes diff --git a/roles/telegraf_statistic/templates/telegraf_statistic.conf.j2 b/roles/telegraf_statistic/templates/telegraf_statistic.conf.j2 new file mode 100644 index 0000000..4db532e --- /dev/null +++ b/roles/telegraf_statistic/templates/telegraf_statistic.conf.j2 @@ -0,0 +1,59 @@ +[global_tags] + device_id = "${device_id}" +[agent] + interval = "5s" + round_interval = true + metric_batch_size = 1000 + metric_buffer_limit = 10000 + collection_jitter = "0s" + flush_interval = "1s" + flush_jitter = "0s" + precision = "" + debug = false + quiet = false + logfile = "" + hostname = "" + omit_hostname = false +[[outputs.file]] + files = ["stdout", "/tmp/metrics.out"] + data_format = "json" + rotation_interval = "1h" + rotation_max_size = "100MB" + rotation_max_archives = 5 + +[[aggregators.basicstats]] + period = "15s" + namepass = ["TRAFFIC", "intercept", "hit_share", "tcp_links", "udp_links", "success_log", "failed_log", "bypass", "drop_log", + "byp_intcp_err","e_get_link_mode_err","e_no_link_mode_bysyn","e_asym_route","e_no_syn","e_no_s/a","e_ip_hdr","e_exc_mtu", + "e_tfe_tx","e_tup2stm_add","e_no_tfe","e_dup_tfc","e_cmsg_add","intcp_stm","intcp_B","ipv4_stm","ipv6_stm","ssl_stm", + "http_stm","dup_tfc_stm","dup_tfc_B","intcp_rdy_stm","intcp_rdy_B","pme_new","pme_free","pme_cnt","e_sendlog","e_id2pme_add", + "e_id2pme_del","e_tup2stm_add","e_tup2stm_del","e_sapp_inject","e_bloom_srch","e_bloom_add","id2pme_add_S","id2pme_del_S", + "id2pme_cnt","tup2stm_add_S","tup2stm_del_S","tup2stm_hit","tup2stm_miss","sendlog_S","sapp_inject_S","bloom_hit","bloom_miss", + "id2ssl_add_S","id2ssl_del_S","id2ssl_cnt","ssl2pass_add_S","ssl2pass_del_S","ssl2pass_cnt","dy_pass_stm","dy_pass_B", + "dy_pass_ipv6_stm","dy_pass_ipv4_stm","bloom_cnt","tuple2stm_cnt","usess_hit", "dsess_hit", "dtkt_hit", "SIGPIPE", "fd_rx", + "fd_rx_err", "fd_inst_cls", "stm_open", "stm_cls", "dstm_eof","ustm_eof", "dstm_err", "ustm_err", "stm_kill", "stm_incpt", + "stm_byp", "stm_incpt_B", "dstm_incpt_B", "ustm_incpt_B","plain", "ssl", "ussl_new", "ussl_err", "ussl_e_ciph", "ussl_e_prt", + "ussl_clsing", "ussl_clsd", "ussl_dt_cls", "usess_cache","dssl_new", "dssl_err", "dssl_e_cert", "dssl_e_fb", "dssl_clsing", + "dssl_clsd", "dssl_dt_cls", "dsess_cache", "dtkt_new","dtkt_notfnd", "ssl_no_chlo", "ssl_no_sni", "ssl_fk_crt", "kyr_cache", + "kyr_ask", "kyr_new", "ssl_pinning", "ssl_mauth","ssl_ct_crt", "ssl_ev_crt", "app_no_pinning", "trusted_cert_nums", "doh_sess", + "doh_log", "doh_hijack", "http_sess", "log_num","intcp_mon_num", "intcp_deny_num", "intcp_rdirt_num", "intcp_repl_num", + "intcp_hijk_num", "hijk_bytes", "intcp_ins_num", "ins_bytes","intcp_allow_num", "suspending"] + drop_original = false + stats = ["sum"] + +[[outputs.kafka]] + brokers = ["{{ log_kafkabrokers.address }}"] + fieldpass = [ "*_conn_num", "*_bytes", "*_in_packets", "*_out_packets", "intercept", "hit_share", "tcp_links", "udp_links", "success_log", "failed_log", "bypass", "drop_log","pinning_num","*pinning_num","intcp_*_num"] + topic = "TRAFFIC-METRICS-LOG" + data_format = "json" +[[outputs.prometheus_client]] + listen = ":9273" + path = "/metrics" +[[inputs.tcp_listener]] +[[inputs.udp_listener]] + ServiceAddress= ":8100" + data_format = "influx" + +[[outputs.influxdb]] + urls = ["{{ monitor_outputs_influxdb.url }}"] + database = "tsg_stat" \ No newline at end of file diff --git a/roles/tfe/files/memory.conf b/roles/tfe/files/memory.conf new file mode 100644 index 0000000..5de1253 --- /dev/null +++ b/roles/tfe/files/memory.conf @@ -0,0 +1,2 @@ +[Service] +MemoryMax=100G \ No newline at end of file diff --git a/roles/tfe/files/tfe-4.3.14.13d2607-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.14.13d2607-1.el7.x86_64.rpm new file mode 100644 index 0000000..f2755aa Binary files /dev/null and b/roles/tfe/files/tfe-4.3.14.13d2607-1.el7.x86_64.rpm differ diff --git a/roles/tfe/files/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm b/roles/tfe/files/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm new file mode 100644 index 0000000..bae4165 Binary files /dev/null and b/roles/tfe/files/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm differ diff --git a/roles/tfe/files/tfe.service b/roles/tfe/files/tfe.service new file mode 100644 index 0000000..d146371 --- /dev/null +++ b/roles/tfe/files/tfe.service @@ -0,0 +1,22 @@ +[Unit] +Description=Tango Frontend Engine +Requires=tfe-env.service +After=tfe-env.service + + +[Service] +Type=notify +ExecStart=/opt/tsg/tfe/bin/tfe +WorkingDirectory=/opt/tsg/tfe/ +TimeoutSec=7200s +RestartSec=10s +Restart=always +LimitNOFILE=524288 +LimitNPROC=infinity +LimitCORE=infinity +TasksMax=infinity +Delegate=yes +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/roles/tfe/tasks/main.yml b/roles/tfe/tasks/main.yml new file mode 100644 index 0000000..2fee00b --- /dev/null +++ b/roles/tfe/tasks/main.yml @@ -0,0 +1,82 @@ +--- +- name: "copy tfe program to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "copy tfe.service to destination server" + copy: + src: "{{ role_path }}/files/tfe.service" + dest: /usr/lib/systemd/system/ + mode: 0644 + +- name: "install tfe rpms from localhost" + yum: + name: + - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm + - /tmp/ansible_deploy/tfe-4.3.14.13d2607-1.el7.x86_64.rpm + state: present + +- name: "template tfe-env config" + template: + src: "{{ role_path }}/templates/tfe-env-config.j2" + dest: /etc/sysconfig/tfe-env-config + +- name: "template the tfe.conf" + template: + src: "{{ role_path }}/templates/tfe.conf.j2" + dest: /opt/tsg/tfe/conf/tfe/tfe.conf + +- name: "template the zlog.conf" + template: + src: "{{ role_path }}/templates/zlog.conf.j2" + dest: /opt/tsg/tfe/conf/tfe/zlog.conf + +- name: "template the future.conf" + template: + src: "{{ role_path }}/templates/future.conf.j2" + dest: /opt/tsg/tfe/conf/tfe/future.conf + +- name: "template the pangu_pxy.conf" + template: + src: "{{ role_path }}/templates/pangu_pxy.conf.j2" + dest: /opt/tsg/tfe/conf/pangu/pangu_pxy.conf + +- name: "create conf/doh/" + file: + path: /opt/tsg/tfe/conf/doh/ + state: directory + +- name: "template the doh.conf" + template: + src: "{{ role_path }}/templates/doh.conf.j2" + dest: /opt/tsg/tfe/conf/doh/doh.conf + +- name: "create a override conf - first step, create dir" + file: + path: /etc/systemd/system/tfe.service.d/ + state: directory + mode: '0755' + +- name: "create a override conf - second step, copy a override service file" + template: + src: "{{ role_path }}/templates/require-mrzcpd.conf.j2" + dest: /etc/systemd/system/tfe.service.d/require-mrzcpd.conf + +- name: "copy memory limit file to tfe.service.d" + copy: + src: "{{ role_path }}/files/memory.conf" + dest: /etc/systemd/system/tfe.service.d/ + mode: 0644 + +- name: "enable tfe-env" + systemd: + name: tfe-env + enabled: yes + daemon_reload: yes + +- name: "enable tfe" + systemd: + name: tfe + enabled: yes + daemon_reload: yes diff --git a/roles/tfe/templates/doh.conf.j2 b/roles/tfe/templates/doh.conf.j2 new file mode 100644 index 0000000..4dcc215 --- /dev/null +++ b/roles/tfe/templates/doh.conf.j2 @@ -0,0 +1,13 @@ +[doh] +enable=1 + +[maat] +table_appid=TSG_OBJ_APP_ID +table_addr=TSG_SECURITY_ADDR +table_qname=TSG_FIELD_DOH_QNAME +table_host=TSG_FIELD_DOH_HOST + +[kafka] +ENTRANCE_ID=0 +# if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1 +en_sendlog=1 diff --git a/roles/tfe/templates/future.conf.j2 b/roles/tfe/templates/future.conf.j2 new file mode 100644 index 0000000..c71679c --- /dev/null +++ b/roles/tfe/templates/future.conf.j2 @@ -0,0 +1,10 @@ +[STAT] +no_stats=0 +statsd_server=127.0.0.1 +statsd_port=58100 +histogram_bins=0.50,0.80,0.9,0.95 +statsd_cycle=5 +# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2 +statsd_format=2 +# printf diff Not available +# print_diff=1 diff --git a/roles/tfe/templates/pangu_pxy.conf.j2 b/roles/tfe/templates/pangu_pxy.conf.j2 new file mode 100644 index 0000000..dbfe9c0 --- /dev/null +++ b/roles/tfe/templates/pangu_pxy.conf.j2 @@ -0,0 +1,109 @@ +[debug] +enable_plugin=1 + +[log] +# default 1, if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1 +en_sendlog=1 +entrance_id=0 + +#Addresses of minio. Format is defined by WiredLB. +#minio_ip_list=192.168.10.61-64; +minio_ip_list= {{ log_minio.address }} +minio_listen_port= {{ log_minio.port }} +#Maximum number of connections opened by per host. +#MAX_CONNECTION_PER_HOST=1 +#Maximum number of requests in a pipeline. +#MAX_CNNT_PIPELINE_NUM=20 +#Maximum parellel sessions(http and redis) is allowed to open. +#MAX_CURL_SESSION_NUM=100 +#Maximum time the request is allowed to take(seconds). +#MAX_CURL_TRANSFER_TIMEOUT_S=0 + +#Bucket name in minio. +cache_bucket_name=proxybucket +#Maximum size of memory used by tango_cache_client. Upload will fail if the current size of memory used exceeds this value. +max_used_memroy_size_mb=5120 +#Default TTL of objects, i.e. the time after which the object will expire(minumun 60s, i.e. 1 minute). +cache_default_ttl_second=3600 +#Whether to hash the object key before cache actions. GET/PUT may be faster if you open it. +cache_object_key_hash_switch=1 + +#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio; +cache_store_object_way=0 +#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis. +redis_cache_object_size=1024000 +#Configs of WiredLB for Minios load balancer. +#WIREDLB_OVERRIDE=1 +wiredlb_health_port=42310 +#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object. +redis_cluster_ip_list=192.168.10.62-63; +redis_cluster_port_range=6379 +#wired load balancer configuration + +wiredlb_override=1 +wiredlb_topic=MinioFileLog +wiredlb_datacenter=k18consul-tse +wiredlb_health_port=52102 +wiredlb_group=FileLog + +log_fsstat_appname=tango_log_file +log_fsstat_filepath=./tango_log_file.fs +log_fsstat_interval=10 +log_fsstat_trig=1 +log_fsstat_dst_ip=10.4.20.202 +log_fsstat_dst_port=8125 + +[ratelimit] +enable=0 +token_name=ratelimit +redis_server={{ maat_redis_server.address }} +redis_port={{ maat_redis_server.port }} +redis_db_index=6 + +[tango_cache] +enable_cache=0 +minio_ip_list=192.168.10.61-64; +minio_listen_port=9000 + +#max_connection_per_host=1 +max_cnnt_pipeline_num=20 +#max_curl_session_num=100 + +cache_bucket_name=proxybucket +max_used_memory_size_mb=10240 +cache_default_ttl_second=3600 +cache_object_key_hash_switch=1 + +#1-minio,2-redis +#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio; +cache_store_object_way=0 +#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis. +redis_cache_object_size=102400 +#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object. +redis_cluster_ip_list=192.168.10.62-63; +redis_cluster_port_range=6379 +#wired load balancer configuration +wiredlb_override=1 +wiredlb_topic=MinioCache +wiredlb_datacenter=k18consul-tse +wiredlb_health_port=52101 +wiredlb_group=TangoCache + +cache_undefined_obj=1 +query_undefined_obj=0 +statsd_server=192.168.10.72 +statsd_port=8126 +histogram_bins=0.20,0.40,0.6,0.8 + +log_fsstat_appname=tango_cache +log_fsstat_filepath=./tango_cache_client.fs +log_fsstat_interval=10 +log_fsstat_trig=1 +log_fsstat_dst_ip=10.4.20.201 +log_fsstat_dst_port=8125 + + +[traffic_mirror] +table_info=resource/pangu/table_info_traffic_mirror.conf +stat_file=log/traffic_mirror.status + diff --git a/roles/tfe/templates/require-mrzcpd.conf.j2 b/roles/tfe/templates/require-mrzcpd.conf.j2 new file mode 100644 index 0000000..66af91c --- /dev/null +++ b/roles/tfe/templates/require-mrzcpd.conf.j2 @@ -0,0 +1,3 @@ +[Unit] +Requires=tfe-env.service mrzcpd.service +After=tfe-env.service mrzcpd.service diff --git a/roles/tfe/templates/tfe-env-config.j2 b/roles/tfe/templates/tfe-env-config.j2 new file mode 100644 index 0000000..deec32a --- /dev/null +++ b/roles/tfe/templates/tfe-env-config.j2 @@ -0,0 +1,20 @@ +{% if tsg_access_type == 4 %} +TFE_DEVICE_DATA_INCOMING={{ ATCA_data_incoming.vf2_name }} +{% elif tsg_running_type != 2 %} +TFE_DEVICE_DATA_INCOMING=tun_kni +{% else %} +TFE_DEVICE_DATA_INCOMING={{ nic_data_incoming.name }} +{% endif %} +TFE_LOCAL_MAC_DATA_INCOMING=fe:65:b7:03:50:bd +{% if tsg_access_type == 4 %} +TFE_PEER_MAC_DATA_INCOMING=00:0e:c6:d6:72:c1 +{% else %} +TFE_PEER_MAC_DATA_INCOMING=aa:bb:cc:dd:ee:ff +{% endif %} +TFE_LOCAL_IP_DATA_INCOMING=172.16.241.2 +TFE_PEER_IP_DATA_INCOMING=172.16.241.1 + +{% if tsg_running_type != 2 %} +TFE_WATCHDOG_DEVICE={{ nic_inner_ctrl.name }} +TFE_WATCHDOG_IP=192.168.100.1 +{% endif %} diff --git a/roles/tfe/templates/tfe.conf.j2 b/roles/tfe/templates/tfe.conf.j2 new file mode 100644 index 0000000..cd2391e --- /dev/null +++ b/roles/tfe/templates/tfe.conf.j2 @@ -0,0 +1,190 @@ +[system] +nr_worker_threads={{ tfe.nr_threads }} +enable_kni_v1=0 +enable_kni_v2=1 + +# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally +disable_coredump=0 +enable_breakpad=1 +enable_breakpad_upload=1 +breakpad_upload_url={{ breakpad_upload_url }} +# must be /run/tfe/crashreport,due to tmpfile limit +breakpad_minidump_dir=/run/tfe/crashreport + +# ask for at least (1 + nr_worker_threads) masks +# the first mask for acceptor thread +# the others mask for worker thread +enable_cpu_affinity=0 +cpu_affinity_mask=1-9 +# LEAST_CONN = 0; ROUND_ROBIN = 1 +load_balance=1 + +[kni] +# kni v1 +#uxdomain=/var/run/.tfe_kni_acceptor_handler +# kni v2 +#scm_socket_file=/var/run/.tfe_kmod_scm_socket + +# send cmsg +send_switch=1 +ip=192.168.100.1 +cmsg_port=2475 + +# watch dog +watchdog_switch=1 +watchdog_port=2476 + +[ssl] +ssl_ja3_debug=0 +# ssl version Not available, configured via TSG website +# ssl_max_version=tls13 +# ssl_min_version=ssl3 +ssl_compression=1 +no_ssl2=1 +no_ssl3=0 +no_tls10=0 +no_tls11=0 +no_tls12=0 +default_ciphers=ALL:-aNULL +no_cert_verify=0 + +# session ticket +no_session_ticket=0 +stek_group_num=4096 +stek_rotation_time=3600 + +# session cache +no_session_cache=0 +session_cache_slots=4194304 +session_cache_expire_seconds=1800 + +# service cache +service_cache_slots=4194304 +service_cache_expire_seconds=300 +service_cache_fail_as_pinning_cnt=4 +service_cache_fail_as_proto_err_cnt=5 +service_cache_succ_as_app_not_pinning_cnt=0 +service_cache_fail_time_window=30 + +# cert +check_cert_crl=0 +{% if tsg_running_type == 2 %} +trusted_cert_load_local=1 +trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem +{% else %} +trusted_cert_load_local=1 +trusted_cert_file=resource/tfe/tls-ca-bundle.pem +{% endif %} +trusted_cert_dir=resource/tfe/trusted_storage + +# master key +log_master_key=0 +key_log_file=log/sslkeylog.log + +# mid cert cache +mc_cache_enable=1 +mc_cache_eth={{ nic_mgr.name }} +mc_cache_broker_list={{ log_kafkabrokers.address }} +mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT + +[key_keeper] +#Mode: debug - generate cert with ca_path, normal - generate cert with cert store +#0 on cache 1 off cache +no_cache=0 +mode=normal +cert_store_host={{ cert_store_server.address }} +cert_store_port={{ cert_store_server.port }} +ca_path=resource/tfe/tango-ca-v3-trust-ca.pem +untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem +hash_slot_size=131072 +hash_expire_seconds=300 +cert_expire_time=24 + +# health_check only for "mode=normal" default 1 +enable_health_check=1 + +[debug] +# 1 : enforce tcp passthrough +# 0 : Whether to passthrough depends on the tcp_options in cmsg +passthrough_all_tcp=0 + +[ratelimit] +read_rate=0 +read_burst=0 +write_rate=0 +write_burst=0 + +[tcp] +# read rcv_buff/snd_buff options from tfe conf +sz_rcv_buffer=-1 +sz_snd_buffer=-1 + +# 1 : use tcp_options in tfe.conf +# 0 : use tcp_options in cmsg +enable_overwrite=0 +tcp_nodelay=1 +so_keepalive=1 +tcp_keepcnt=8 +tcp_keepintvl=15 +tcp_keepidle=30 +tcp_user_timeout=600 +tcp_ttl_upstream=75 +tcp_ttl_downstream=70 + +[stat] +statsd_server=127.0.0.1 +statsd_port=58100 +statsd_cycle=5 +# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE +statsd_format=2 +histogram_bins=0.5,0.8,0.9,0.95 + +[traffic_mirror] +{% if tsg_running_type != 2 %} +enable={{ tfe.mirror_enable }} +device=lo +# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO +type=0 +{% else %} +enable={{ tfe.mirror_enable }} +device={{ nic_traffic_mirror.name }} +# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO +type=1 +{% endif %} + +[kafka] +enable=1 +NIC_NAME={{ nic_mgr.name }} +kafka_brokerlist={{ log_kafkabrokers.address }} +kafka_topic=PROXY-EVENT-LOG +device_id_filepath=/opt/tsg/etc/tsg_sn.json + +[maat] +# 0:json 1:redis 2:iris +maat_input_mode=1 +stat_switch=1 +perf_switch=1 +table_info=resource/pangu/table_info.conf +accept_path=/opt/tsg/etc/tsg_device_tag.json +stat_file=log/pangu_scan.fs2 +effect_interval_s=1 +deferred_load_on=0 + +# Pangu uses accept_tags to support the effective range of the device. +# Traffic mirroring does not need to support the effective range of the device, +# but pangu and traffic mirroring use the same maat configuration file. +# Therefore, there is no need to set accept_tags in tfe.conf, +# just set accept_tags in the tfe_resource_init() code +# accept_tags={"tags":[{"tag":"device_id","value":"device_1"}]} + +# json mode conf iterm +json_cfg_file=resource/pangu/pangu_http.json + +# redis mode conf iterm +maat_redis_server={{ maat_redis_server.address }} +maat_redis_port_range={{ maat_redis_server.port }} +maat_redis_db_index={{ maat_redis_server.db }} + +# iris mode conf iterm +full_cfg_dir=pangu_policy/full/index/ +inc_cfg_dir=pangu_policy/inc/index/ diff --git a/roles/tfe/templates/tfe_kmod.conf.j2 b/roles/tfe/templates/tfe_kmod.conf.j2 new file mode 100644 index 0000000..b16677a --- /dev/null +++ b/roles/tfe/templates/tfe_kmod.conf.j2 @@ -0,0 +1,2 @@ +# load tfe_kmod at boot +tfe_kmod diff --git a/roles/tfe/templates/zlog.conf.j2 b/roles/tfe/templates/zlog.conf.j2 new file mode 100644 index 0000000..cddfaf6 --- /dev/null +++ b/roles/tfe/templates/zlog.conf.j2 @@ -0,0 +1,20 @@ +# kill -s SIGHUP "pid" + +[global] + +default format = "%d(%c), %V, %F, %U, %m%n" + +[levels] + +DEBUG=10 +INFO=20 +FATAL=30 + +[rules] + +*.fatal "./log/error.log.%d(%F)"; +tfe.{{ tfe_log_level }} "./log/tfe.log.%d(%F)"; +http.{{ tfe_http_log_level }} "./log/http.log.%d(%F)"; +http2.{{ tfe_http_log_level }} "./log/http2.log.%d(%F)"; +doh.{{ doh_log_level }} "./log/doh_pxy.log.%d(%F)"; +pangu.{{ pangu_log_level }} "./log/pangu_pxy.log.%d(%F)"; \ No newline at end of file diff --git a/roles/tsg-diagnose/files/install_docker.zip b/roles/tsg-diagnose/files/install_docker.zip new file mode 100644 index 0000000..7725529 Binary files /dev/null and b/roles/tsg-diagnose/files/install_docker.zip differ diff --git a/roles/tsg-diagnose/files/memory.conf b/roles/tsg-diagnose/files/memory.conf new file mode 100644 index 0000000..5de1253 --- /dev/null +++ b/roles/tsg-diagnose/files/memory.conf @@ -0,0 +1,2 @@ +[Service] +MemoryMax=100G \ No newline at end of file diff --git a/roles/tsg-diagnose/files/tsg-diagnose-20.10.01.7041374-1.el7.x86_64.rpm b/roles/tsg-diagnose/files/tsg-diagnose-20.10.01.7041374-1.el7.x86_64.rpm new file mode 100644 index 0000000..1ec760c Binary files /dev/null and b/roles/tsg-diagnose/files/tsg-diagnose-20.10.01.7041374-1.el7.x86_64.rpm differ diff --git a/roles/tsg-diagnose/tasks/main.yml b/roles/tsg-diagnose/tasks/main.yml new file mode 100644 index 0000000..a21fc9e --- /dev/null +++ b/roles/tsg-diagnose/tasks/main.yml @@ -0,0 +1,44 @@ +- name: "Tsg-diagnose:copy file to device" + copy: + src: '{{ role_path }}/files/' + dest: /tmp/ansible_deploy/ + +- name: "unarchive install_docker.zip" + unarchive: + src: /tmp/ansible_deploy/install_docker.zip + dest: /tmp/ansible_deploy/ + remote_src: yes + +- name: "exec docker install shell" + shell: cd /tmp/ansible_deploy/install_docker; sh setup_docker.sh + +- name: 'Docker service start and enable' + systemd: + name: docker + enabled: yes + state: started + daemon_reload: yes + +- name: "Install tsg-diagnose rpm package" + yum: + name: + - "/tmp/ansible_deploy/tsg-diagnose-20.10.01.7041374-1.el7.x86_64.rpm" + state: present + +- name: "tsg-diagnose init certs" + shell: /bin/sh /opt/tsg/tsg-diagnose/deploy/init_certs/init_badssl_certs.sh + +- name: "copy memory limit file to tsg-diagnose.service.d" + copy: + src: "{{ role_path }}/files/memory.conf" + dest: /etc/systemd/system/tsg-diagnose.service.d/ + mode: 0644 + +- name: 'Tsg-diagnose service start' + systemd: + name: tsg-diagnose + enabled: yes + daemon_reload: yes + +- name: "tsg-diagnose init rsync deamon" + shell: /bin/sh /opt/tsg/tsg-diagnose/deploy/rsync/init_rsyncd.sh diff --git a/roles/tsg-diagnose_stop_sync/tasks/main.yml b/roles/tsg-diagnose_stop_sync/tasks/main.yml new file mode 100644 index 0000000..f8ddd6a --- /dev/null +++ b/roles/tsg-diagnose_stop_sync/tasks/main.yml @@ -0,0 +1,3 @@ +- name: "tsg-diagnose: stop rsync deamon process" + shell: killall -9 rsync + diff --git a/roles/tsg-diagnose_sync_ca/tasks/main.yml b/roles/tsg-diagnose_sync_ca/tasks/main.yml new file mode 100644 index 0000000..b6265c5 --- /dev/null +++ b/roles/tsg-diagnose_sync_ca/tasks/main.yml @@ -0,0 +1,6 @@ +- name: "tsg-diagnose: rsync badssl ca certs" + shell: rsync -avzP --delete 192.168.100.1::blade0toother /tmp/sync/ + +- name: "tsg-diagnose: add badssl ca file to tfe tls-ca-bundle" + shell: cat /tmp/sync/ca-root.crt > /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem && cat /tmp/sync/wpr_cert.pem >> /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem + diff --git a/roles/tsg-env-mcn0/files/setup b/roles/tsg-env-mcn0/files/setup new file mode 100644 index 0000000..a8050e8 --- /dev/null +++ b/roles/tsg-env-mcn0/files/setup @@ -0,0 +1,132 @@ +#!/bin/bash +# set -x + +CURRENT_PATH=`dirname $0` +TP_SVR=192.168.100.5 +TP_PORT=10000 +REMOTE_CONTROL_BIN=switch_control_client_non_block + +function get_netdev_by_pci() +{ + DEV_LIST=`ifconfig -a |grep flags |awk -F: '{print $1}'` + for i in ${DEV_LIST} + do + ethtool -i ${i} |grep bus-info |grep "$1" > /dev/null 2>&1 + if [ $? -eq 0 ];then + TARGET=${i} + break + fi + done + + echo ${TARGET} +} + +function pf_setup() +{ + ifconfig ens1 up + + modprobe 8021q + vconfig add ens1 100 + vconfig set_flag ens1.100 1 1 + ifconfig ens1.100 192.168.100.1 netmask 255.255.255.0 up + sleep 1 +} + +function vf_setup() +{ + echo 8 > /sys/class/net/ens1/device/sriov_numvfs + sleep 5 + + ifconfig ens1f3 up + ip link set ens1 vf 2 vlan 200 + ifconfig ens1f3 192.168.200.1 netmask 255.255.255.0 + + ifconfig ens1f1 up + ifconfig ens1f2 up + ifconfig ens1f3 up + ifconfig ens1f4 up + ifconfig ens1f5 up + ifconfig ens1f6 up + ifconfig ens1f7 up + ifconfig enp1s1 up + + sleep 5 +} + +function bring_down_pfvf() +{ + echo 0 > /sys/class/net/ens1/device/sriov_numvfs + ifconfig ens1 down + sleep 3 +} + + +# Main loop +while : +do + FAIL_FLAG=0 + + # Make sure PF is valid + ping ${TP_SVR} -c 1 + if [ $? -ne 0 ];then + echo "Please make sure switch board is up." + bring_down_pfvf + pf_setup + continue + fi + + # Make sure TestPoint is up. + ${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show version" + if [ $? -ne 0 ];then + echo "Cannot reach TestPoint!" + echo "Please make sure TestPoint is up and in remote-listen mode." + sleep 5 + continue + fi + + # Create VFs and get MAC addresses + vf_setup + + PF=`get_netdev_by_pci 01:00.0` + VF1=`get_netdev_by_pci 01:00.1` + VF2=`get_netdev_by_pci 01:00.2` + VF3=`get_netdev_by_pci 01:00.3` + VF4=`get_netdev_by_pci 01:00.4` + VF5=`get_netdev_by_pci 01:00.5` + VF6=`get_netdev_by_pci 01:00.6` + VF7=`get_netdev_by_pci 01:00.7` + VF8=`get_netdev_by_pci 01:01.0` + + MAC1=`ifconfig ${VF1} |grep ether |awk -F' ' '{print $2}'` + MAC2=`ifconfig ${VF2} |grep ether |awk -F' ' '{print $2}'` + MAC3=`ifconfig ${VF3} |grep ether |awk -F' ' '{print $2}'` + MAC4=`ifconfig ${VF4} |grep ether |awk -F' ' '{print $2}'` + MAC5=`ifconfig ${VF5} |grep ether |awk -F' ' '{print $2}'` + MAC6=`ifconfig ${VF6} |grep ether |awk -F' ' '{print $2}'` + MAC7=`ifconfig ${VF7} |grep ether |awk -F' ' '{print $2}'` + MAC8=`ifconfig ${VF8} |grep ether |awk -F' ' '{print $2}'` + MAC9=`ifconfig ${PF} |grep ether |awk -F' ' '{print $2}'` + + # Make sure VFs are valid + MAC_TABLE=`${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show mac table all"` + + for i in ${MAC1} ${MAC2} ${MAC3} ${MAC4} ${MAC5} ${MAC6} ${MAC7} ${MAC8} ${MAC9} + do + echo ${MAC_TABLE} |grep ${i} > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "MAC ${i} is not in table!" + FAIL_FLAG=1 + break + fi + done + + if [ ${FAIL_FLAG} -eq 1 ];then + bring_down_pfvf + continue + fi + + echo "PF/VF setup successful." + exit 0 +done + + diff --git a/roles/tsg-env-mcn0/files/switch_control_client_non_block b/roles/tsg-env-mcn0/files/switch_control_client_non_block new file mode 100644 index 0000000..5cdba48 Binary files /dev/null and b/roles/tsg-env-mcn0/files/switch_control_client_non_block differ diff --git a/roles/tsg-env-mcn0/files/tsg-env.service b/roles/tsg-env-mcn0/files/tsg-env.service new file mode 100644 index 0000000..d83df53 --- /dev/null +++ b/roles/tsg-env-mcn0/files/tsg-env.service @@ -0,0 +1,15 @@ +[Unit] +Description=tsg sled-mcn0 env init +Requires=network.target +After=network.target +Before=mrenv.service + +[Service] +ExecStart=/opt/tsg/env/setup +ExecStop=/opt/tsg/env/tsg-env_stop +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +RequiredBy=mrenv.service diff --git a/roles/tsg-env-mcn0/files/tsg-env_stop b/roles/tsg-env-mcn0/files/tsg-env_stop new file mode 100644 index 0000000..f87d14f --- /dev/null +++ b/roles/tsg-env-mcn0/files/tsg-env_stop @@ -0,0 +1,6 @@ +#!/bin/bash +# +echo 0 >/sys/class/net/ens1/device/sriov_numvfs +ifconfig ens1.100 down +vconfig rem ens1.100 +ifconfig ens1 down diff --git a/roles/tsg-env-mcn0/tasks/main.yml b/roles/tsg-env-mcn0/tasks/main.yml new file mode 100644 index 0000000..21d8bb8 --- /dev/null +++ b/roles/tsg-env-mcn0/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: "copy setup script" + copy: + src: "{{ role_path }}/files/setup" + dest: /opt/tsg/env/ + mode: 0755 + when: tsg_access_type == 1 + +- name: "Template setup script" + template: + src: "{{ role_path }}/templates/setup.AllotAccess.j2" + dest: /opt/tsg/env/setup + mode: 0755 + when: tsg_access_type == 2 + +- name: "copy switch_control_client_non_block" + copy: + src: "{{ role_path }}/files/switch_control_client_non_block" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy tsg-env.service" + copy: + src: "{{ role_path }}/files/tsg-env.service" + dest: "/usr/lib/systemd/system/" + mode: 0644 + +- name: "copy tsg-env_stop" + copy: + src: "{{ role_path }}/files/tsg-env_stop" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "enable tsg-env" + systemd: + name: tsg-env + enabled: yes + daemon_reload: yes + diff --git a/roles/tsg-env-mcn0/templates/setup.AllotAccess.j2 b/roles/tsg-env-mcn0/templates/setup.AllotAccess.j2 new file mode 100644 index 0000000..85dab27 --- /dev/null +++ b/roles/tsg-env-mcn0/templates/setup.AllotAccess.j2 @@ -0,0 +1,144 @@ +#!/bin/bash +# set -x + +CURRENT_PATH=`dirname $0` +TP_SVR=192.168.100.5 +TP_PORT=10000 +REMOTE_CONTROL_BIN=switch_control_client_non_block + +function get_netdev_by_pci() +{ + DEV_LIST=`ifconfig -a |grep flags |awk -F: '{print $1}'` + for i in ${DEV_LIST} + do + ethtool -i ${i} |grep bus-info |grep "$1" > /dev/null 2>&1 + if [ $? -eq 0 ];then + TARGET=${i} + break + fi + done + + echo ${TARGET} +} + +function pf_setup() +{ + ifconfig ens1 up + + modprobe 8021q + vconfig add ens1 100 + vconfig set_flag ens1.100 1 1 + ifconfig ens1.100 192.168.100.1 netmask 255.255.255.0 up + sleep 1 +} + +function vf_setup() +{ + echo 8 > /sys/class/net/ens1/device/sriov_numvfs + sleep 5 + + ifconfig ens1f3 up + ip link set ens1 vf 2 vlan 200 + ifconfig ens1f3 192.168.200.1 netmask 255.255.255.0 + + ifconfig ens1f1 up + ifconfig ens1f2 up + ifconfig ens1f3 up + ifconfig ens1f4 up + ifconfig ens1f5 up + ifconfig ens1f6 up + ifconfig ens1f7 up + ifconfig enp1s1 up + + sleep 5 +} + +function bring_down_pfvf() +{ + echo 0 > /sys/class/net/ens1/device/sriov_numvfs + ifconfig ens1 down + sleep 3 +} + +function AllotAccessNetworkModel() +{ + ip link add link ens1f2 name {{ AllotAccess.virturlInterface_1 }} type vlan id {{ AllotAccess.virturlID_1 }} + ip link add link ens1f2 name {{ AllotAccess.virturlInterface_2 }} type vlan id {{ AllotAccess.virturlID_2 }} + ip addr add {{ vvipv4_1 }}/{{ AllotAccess.vvipv4_mask }} dev {{ AllotAccess.virturlInterface_1 }} + ip addr add {{ vvipv4_2 }}/{{ AllotAccess.vvipv4_mask }} dev {{ AllotAccess.virturlInterface_2 }} + ip -6addr add {{ vvipv6_1 }}/{{ AllotAccess.vvipv6_mask }} dev {{ AllotAccess.virturlInterface_1 }} + ip -6addr add {{ vvipv6_2 }}/{{ AllotAccess.vvipv6_mask }} dev {{ AllotAccess.virturlInterface_2 }} +} + +# Main loop +while : +do + FAIL_FLAG=0 + + # Make sure PF is valid + ping ${TP_SVR} -c 1 + if [ $? -ne 0 ];then + echo "Please make sure switch board is up." + bring_down_pfvf + pf_setup + continue + fi + + # Make sure TestPoint is up. + ${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show version" + if [ $? -ne 0 ];then + echo "Cannot reach TestPoint!" + echo "Please make sure TestPoint is up and in remote-listen mode." + sleep 5 + continue + fi + + # Create VFs and get MAC addresses + vf_setup + + PF=`get_netdev_by_pci 01:00.0` + VF1=`get_netdev_by_pci 01:00.1` + VF2=`get_netdev_by_pci 01:00.2` + VF3=`get_netdev_by_pci 01:00.3` + VF4=`get_netdev_by_pci 01:00.4` + VF5=`get_netdev_by_pci 01:00.5` + VF6=`get_netdev_by_pci 01:00.6` + VF7=`get_netdev_by_pci 01:00.7` + VF8=`get_netdev_by_pci 01:01.0` + + MAC1=`ifconfig ${VF1} |grep ether |awk -F' ' '{print $2}'` + MAC2=`ifconfig ${VF2} |grep ether |awk -F' ' '{print $2}'` + MAC3=`ifconfig ${VF3} |grep ether |awk -F' ' '{print $2}'` + MAC4=`ifconfig ${VF4} |grep ether |awk -F' ' '{print $2}'` + MAC5=`ifconfig ${VF5} |grep ether |awk -F' ' '{print $2}'` + MAC6=`ifconfig ${VF6} |grep ether |awk -F' ' '{print $2}'` + MAC7=`ifconfig ${VF7} |grep ether |awk -F' ' '{print $2}'` + MAC8=`ifconfig ${VF8} |grep ether |awk -F' ' '{print $2}'` + MAC9=`ifconfig ${PF} |grep ether |awk -F' ' '{print $2}'` + + # Make sure VFs are valid + MAC_TABLE=`${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show mac table all"` + + for i in ${MAC1} ${MAC2} ${MAC3} ${MAC4} ${MAC5} ${MAC6} ${MAC7} ${MAC8} ${MAC9} + do + echo ${MAC_TABLE} |grep ${i} > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "MAC ${i} is not in table!" + FAIL_FLAG=1 + break + fi + done + + if [ ${FAIL_FLAG} -eq 1 ];then + bring_down_pfvf + continue + fi + + # Set_AllotAccessNetworkModel + AllotAccessNetworkModel + + echo "PF/VF setup successful." + exit 0 +done + + diff --git a/roles/tsg-env-mcn1/files/setup b/roles/tsg-env-mcn1/files/setup new file mode 100644 index 0000000..3bb1489 --- /dev/null +++ b/roles/tsg-env-mcn1/files/setup @@ -0,0 +1,115 @@ +#!/bin/bash +# set -x + +CURRENT_PATH=`dirname $0` +TP_SVR=192.168.100.5 +TP_PORT=10000 +REMOTE_CONTROL_BIN=switch_control_client_non_block +modprobe 8021q + +function get_netdev_by_pci() +{ + DEV_LIST=`ifconfig -a |grep flags |awk -F: '{print $1}'` + for i in ${DEV_LIST} + do + ethtool -i ${i} |grep bus-info |grep "$1" > /dev/null 2>&1 + if [ $? -eq 0 ];then + TARGET=${i} + break + fi + done + + echo ${TARGET} +} + +function pf_setup() +{ + ifconfig ens1 up + vconfig add ens1 100 + vconfig set_flag ens1.100 1 1 + ifconfig ens1.100 192.168.100.2 netmask 255.255.255.0 up + sleep 1 +} + +function vf_setup() +{ + echo 4 > /sys/class/net/ens1/device/sriov_numvfs + sleep 5 + + ifconfig ens1f3 up + ip link set ens1 vf 2 vlan 200 + ifconfig ens1f3 192.168.200.2 netmask 255.255.255.0 + + ifconfig ens1f1 up + ifconfig ens1f2 up + ifconfig ens1f3 up + ifconfig ens1f4 up + sleep 5 +} + +function bring_down_pfvf() +{ + echo 0 > /sys/class/net/ens1/device/sriov_numvfs + ifconfig ens1 down + sleep 3 +} + +# Main loop +while : +do + FAIL_FLAG=0 + + # Make sure PF is valid + ping ${TP_SVR} -c 1 + if [ $? -ne 0 ];then + echo "Please make sure switch board is up." + bring_down_pfvf + pf_setup + continue + fi + + # Make sure TestPoint is up. + ${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show version" + if [ $? -ne 0 ];then + echo "Cannot reach TestPoint!" + echo "Please make sure TestPoint is up and in remote-listen mode." + sleep 5 + continue + fi + + # Create VFs and get MAC addresses + vf_setup + + PF=`get_netdev_by_pci 01:00.0` + VF1=`get_netdev_by_pci 01:00.1` + VF2=`get_netdev_by_pci 01:00.2` + VF3=`get_netdev_by_pci 01:00.3` + VF4=`get_netdev_by_pci 01:00.4` + + MAC0=`ifconfig ${PF} |grep ether |awk -F' ' '{print $2}'` + MAC1=`ifconfig ${VF1} |grep ether |awk -F' ' '{print $2}'` + MAC2=`ifconfig ${VF2} |grep ether |awk -F' ' '{print $2}'` + MAC3=`ifconfig ${VF3} |grep ether |awk -F' ' '{print $2}'` + MAC4=`ifconfig ${VF4} |grep ether |awk -F' ' '{print $2}'` + + # Make sure VFs are valid + MAC_TABLE=`${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show mac table all"` + + for i in ${MAC0} ${MAC1} ${MAC2} ${MAC3} ${MAC4} + do + echo ${MAC_TABLE} |grep ${i} > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "MAC ${i} is not in table!" + FAIL_FLAG=1 + break + fi + done + + if [ ${FAIL_FLAG} -eq 1 ];then + bring_down_pfvf + continue + fi + + echo "PF/VF setup successful." + exit 0 +done diff --git a/roles/tsg-env-mcn1/files/switch_control_client_non_block b/roles/tsg-env-mcn1/files/switch_control_client_non_block new file mode 100644 index 0000000..5cdba48 Binary files /dev/null and b/roles/tsg-env-mcn1/files/switch_control_client_non_block differ diff --git a/roles/tsg-env-mcn1/files/tsg-env.service b/roles/tsg-env-mcn1/files/tsg-env.service new file mode 100644 index 0000000..9883b24 --- /dev/null +++ b/roles/tsg-env-mcn1/files/tsg-env.service @@ -0,0 +1,15 @@ +[Unit] +Description=tsg sled-mcn1 env init +Requires=network.target +After=network.target +Before=tfe-env.service mrenv.service + +[Service] +ExecStart=/opt/tsg/env/setup +ExecStop=/opt/tsg/env/tsg-env_stop +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +RequiredBy=tfe-env.service mrenv.service \ No newline at end of file diff --git a/roles/tsg-env-mcn1/files/tsg-env_stop b/roles/tsg-env-mcn1/files/tsg-env_stop new file mode 100644 index 0000000..f87d14f --- /dev/null +++ b/roles/tsg-env-mcn1/files/tsg-env_stop @@ -0,0 +1,6 @@ +#!/bin/bash +# +echo 0 >/sys/class/net/ens1/device/sriov_numvfs +ifconfig ens1.100 down +vconfig rem ens1.100 +ifconfig ens1 down diff --git a/roles/tsg-env-mcn1/tasks/main.yml b/roles/tsg-env-mcn1/tasks/main.yml new file mode 100644 index 0000000..24ce082 --- /dev/null +++ b/roles/tsg-env-mcn1/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: "copy setup script" + copy: + src: "{{ role_path }}/files/setup" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy switch_control_client_non_block" + copy: + src: "{{ role_path }}/files/switch_control_client_non_block" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy tsg-env.service" + copy: + src: "{{ role_path }}/files/tsg-env.service" + dest: "/usr/lib/systemd/system/" + mode: 0644 + +- name: "copy tsg-env_stop" + copy: + src: "{{ role_path }}/files/tsg-env_stop" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "enable tsg-env" + systemd: + name: tsg-env + enabled: yes + daemon_reload: yes diff --git a/roles/tsg-env-mcn2/files/setup b/roles/tsg-env-mcn2/files/setup new file mode 100644 index 0000000..eb986bd --- /dev/null +++ b/roles/tsg-env-mcn2/files/setup @@ -0,0 +1,115 @@ +#!/bin/bash +# set -x + +CURRENT_PATH=`dirname $0` +TP_SVR=192.168.100.5 +TP_PORT=10000 +REMOTE_CONTROL_BIN=switch_control_client_non_block +modprobe 8021q + +function get_netdev_by_pci() +{ + DEV_LIST=`ifconfig -a |grep flags |awk -F: '{print $1}'` + for i in ${DEV_LIST} + do + ethtool -i ${i} |grep bus-info |grep "$1" > /dev/null 2>&1 + if [ $? -eq 0 ];then + TARGET=${i} + break + fi + done + + echo ${TARGET} +} + +function pf_setup() +{ + ifconfig ens8 up + vconfig add ens8 100 + vconfig set_flag ens8.100 1 1 + ifconfig ens8.100 192.168.100.3 netmask 255.255.255.0 up + sleep 1 +} + +function vf_setup() +{ + echo 4 > /sys/class/net/ens8/device/sriov_numvfs + sleep 5 + + ifconfig ens8f3 up + ip link set ens8 vf 2 vlan 200 + ifconfig ens8f3 192.168.200.3 netmask 255.255.255.0 + + ifconfig ens8f1 up + ifconfig ens8f2 up + ifconfig ens8f3 up + ifconfig ens8f4 up + sleep 5 +} + +function bring_down_pfvf() +{ + echo 0 > /sys/class/net/ens8/device/sriov_numvfs + ifconfig ens8 down + sleep 3 +} + +# Main loop +while : +do + FAIL_FLAG=0 + + # Make sure PF is valid + ping ${TP_SVR} -c 1 + if [ $? -ne 0 ];then + echo "Please make sure switch board is up." + bring_down_pfvf + pf_setup + continue + fi + + # Make sure TestPoint is up. + ${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show version" + if [ $? -ne 0 ];then + echo "Cannot reach TestPoint!" + echo "Please make sure TestPoint is up and in remote-listen mode." + sleep 5 + continue + fi + + # Create VFs and get MAC addresses + vf_setup + + PF=`get_netdev_by_pci 85:00.0` + VF1=`get_netdev_by_pci 85:00.1` + VF2=`get_netdev_by_pci 85:00.2` + VF3=`get_netdev_by_pci 85:00.3` + VF4=`get_netdev_by_pci 85:00.4` + + MAC0=`ifconfig ${PF} |grep ether |awk -F' ' '{print $2}'` + MAC1=`ifconfig ${VF1} |grep ether |awk -F' ' '{print $2}'` + MAC2=`ifconfig ${VF2} |grep ether |awk -F' ' '{print $2}'` + MAC3=`ifconfig ${VF3} |grep ether |awk -F' ' '{print $2}'` + MAC4=`ifconfig ${VF4} |grep ether |awk -F' ' '{print $2}'` + + # Make sure VFs are valid + MAC_TABLE=`${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show mac table all"` + + for i in ${MAC0} ${MAC1} ${MAC2} ${MAC3} ${MAC4} + do + echo ${MAC_TABLE} |grep ${i} > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "MAC ${i} is not in table!" + FAIL_FLAG=1 + break + fi + done + + if [ ${FAIL_FLAG} -eq 1 ];then + bring_down_pfvf + continue + fi + + echo "PF/VF setup successful." + exit 0 +done diff --git a/roles/tsg-env-mcn2/files/switch_control_client_non_block b/roles/tsg-env-mcn2/files/switch_control_client_non_block new file mode 100644 index 0000000..5cdba48 Binary files /dev/null and b/roles/tsg-env-mcn2/files/switch_control_client_non_block differ diff --git a/roles/tsg-env-mcn2/files/tsg-env.service b/roles/tsg-env-mcn2/files/tsg-env.service new file mode 100644 index 0000000..0b3e0d4 --- /dev/null +++ b/roles/tsg-env-mcn2/files/tsg-env.service @@ -0,0 +1,15 @@ +[Unit] +Description=tsg sled-mcn3 env init +Requires=network.target +After=network.target +Before=tfe-env.service mrenv.service + +[Service] +ExecStart=/opt/tsg/env/setup +ExecStop=/opt/tsg/env/tsg-env_stop +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +RequiredBy=tfe-env.service mrenv.service diff --git a/roles/tsg-env-mcn2/files/tsg-env_stop b/roles/tsg-env-mcn2/files/tsg-env_stop new file mode 100644 index 0000000..c1909b1 --- /dev/null +++ b/roles/tsg-env-mcn2/files/tsg-env_stop @@ -0,0 +1,6 @@ +#!/bin/bash +# +echo 0 >/sys/class/net/ens8/device/sriov_numvfs +ifconfig ens8.100 down +vconfig rem ens8.100 +ifconfig ens8 down diff --git a/roles/tsg-env-mcn2/tasks/main.yml b/roles/tsg-env-mcn2/tasks/main.yml new file mode 100644 index 0000000..c3e9bdb --- /dev/null +++ b/roles/tsg-env-mcn2/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: "copy setup script" + copy: + src: "{{ role_path }}/files/setup" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy switch_control_client_non_block" + copy: + src: "{{ role_path }}/files/switch_control_client_non_block" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy tsg-env.service" + copy: + src: "{{ role_path }}/files/tsg-env.service" + dest: "/usr/lib/systemd/system/" + mode: 0644 + +- name: "copy tsg-env_stop" + copy: + src: "{{ role_path }}/files/tsg-env_stop" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "enable tsg-env" + systemd: + name: tsg-env + enabled: yes + daemon_reload: yes diff --git a/roles/tsg-env-mcn3/files/setup b/roles/tsg-env-mcn3/files/setup new file mode 100644 index 0000000..a847c4e --- /dev/null +++ b/roles/tsg-env-mcn3/files/setup @@ -0,0 +1,115 @@ +#!/bin/bash +# set -x + +CURRENT_PATH=`dirname $0` +TP_SVR=192.168.100.5 +TP_PORT=10000 +REMOTE_CONTROL_BIN=switch_control_client_non_block +modprobe 8021q + +function get_netdev_by_pci() +{ + DEV_LIST=`ifconfig -a |grep flags |awk -F: '{print $1}'` + for i in ${DEV_LIST} + do + ethtool -i ${i} |grep bus-info |grep "$1" > /dev/null 2>&1 + if [ $? -eq 0 ];then + TARGET=${i} + break + fi + done + + echo ${TARGET} +} + +function pf_setup() +{ + ifconfig ens8 up + vconfig add ens8 100 + vconfig set_flag ens8.100 1 1 + ifconfig ens8.100 192.168.100.4 netmask 255.255.255.0 up + sleep 1 +} + +function vf_setup() +{ + echo 4 > /sys/class/net/ens8/device/sriov_numvfs + sleep 5 + + ifconfig ens8f3 up + ip link set ens8 vf 2 vlan 200 + ifconfig ens8f3 192.168.200.4 netmask 255.255.255.0 + + ifconfig ens8f1 up + ifconfig ens8f2 up + ifconfig ens8f3 up + ifconfig ens8f4 up + sleep 5 +} + +function bring_down_pfvf() +{ + echo 0 > /sys/class/net/ens8/device/sriov_numvfs + ifconfig ens8 down + sleep 3 +} + +# Main loop +while : +do + FAIL_FLAG=0 + + # Make sure PF is valid + ping ${TP_SVR} -c 1 + if [ $? -ne 0 ];then + echo "Please make sure switch board is up." + bring_down_pfvf + pf_setup + continue + fi + + # Make sure TestPoint is up. + ${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show version" + if [ $? -ne 0 ];then + echo "Cannot reach TestPoint!" + echo "Please make sure TestPoint is up and in remote-listen mode." + sleep 5 + continue + fi + + # Create VFs and get MAC addresses + vf_setup + + PF=`get_netdev_by_pci 85:00.0` + VF1=`get_netdev_by_pci 85:00.1` + VF2=`get_netdev_by_pci 85:00.2` + VF3=`get_netdev_by_pci 85:00.3` + VF4=`get_netdev_by_pci 85:00.4` + + MAC0=`ifconfig ${PF} |grep ether |awk -F' ' '{print $2}'` + MAC1=`ifconfig ${VF1} |grep ether |awk -F' ' '{print $2}'` + MAC2=`ifconfig ${VF2} |grep ether |awk -F' ' '{print $2}'` + MAC3=`ifconfig ${VF3} |grep ether |awk -F' ' '{print $2}'` + MAC4=`ifconfig ${VF4} |grep ether |awk -F' ' '{print $2}'` + + # Make sure VFs are valid + MAC_TABLE=`${CURRENT_PATH}/${REMOTE_CONTROL_BIN} -s ${TP_SVR} -n ${TP_PORT} -c "show mac table all"` + + for i in ${MAC0} ${MAC1} ${MAC2} ${MAC3} ${MAC4} + do + echo ${MAC_TABLE} |grep ${i} > /dev/null 2>&1 + if [ $? -ne 0 ];then + echo "MAC ${i} is not in table!" + FAIL_FLAG=1 + break + fi + done + + if [ ${FAIL_FLAG} -eq 1 ];then + bring_down_pfvf + continue + fi + + echo "PF/VF setup successful." + exit 0 +done diff --git a/roles/tsg-env-mcn3/files/switch_control_client_non_block b/roles/tsg-env-mcn3/files/switch_control_client_non_block new file mode 100644 index 0000000..5cdba48 Binary files /dev/null and b/roles/tsg-env-mcn3/files/switch_control_client_non_block differ diff --git a/roles/tsg-env-mcn3/files/tsg-env.service b/roles/tsg-env-mcn3/files/tsg-env.service new file mode 100644 index 0000000..0b3e0d4 --- /dev/null +++ b/roles/tsg-env-mcn3/files/tsg-env.service @@ -0,0 +1,15 @@ +[Unit] +Description=tsg sled-mcn3 env init +Requires=network.target +After=network.target +Before=tfe-env.service mrenv.service + +[Service] +ExecStart=/opt/tsg/env/setup +ExecStop=/opt/tsg/env/tsg-env_stop +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +RequiredBy=tfe-env.service mrenv.service diff --git a/roles/tsg-env-mcn3/files/tsg-env_stop b/roles/tsg-env-mcn3/files/tsg-env_stop new file mode 100644 index 0000000..c1909b1 --- /dev/null +++ b/roles/tsg-env-mcn3/files/tsg-env_stop @@ -0,0 +1,6 @@ +#!/bin/bash +# +echo 0 >/sys/class/net/ens8/device/sriov_numvfs +ifconfig ens8.100 down +vconfig rem ens8.100 +ifconfig ens8 down diff --git a/roles/tsg-env-mcn3/tasks/main.yml b/roles/tsg-env-mcn3/tasks/main.yml new file mode 100644 index 0000000..24ce082 --- /dev/null +++ b/roles/tsg-env-mcn3/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: "copy setup script" + copy: + src: "{{ role_path }}/files/setup" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy switch_control_client_non_block" + copy: + src: "{{ role_path }}/files/switch_control_client_non_block" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy tsg-env.service" + copy: + src: "{{ role_path }}/files/tsg-env.service" + dest: "/usr/lib/systemd/system/" + mode: 0644 + +- name: "copy tsg-env_stop" + copy: + src: "{{ role_path }}/files/tsg-env_stop" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "enable tsg-env" + systemd: + name: tsg-env + enabled: yes + daemon_reload: yes diff --git a/roles/tsg-env-mxn/files/setup b/roles/tsg-env-mxn/files/setup new file mode 100644 index 0000000..7fd0fcb --- /dev/null +++ b/roles/tsg-env-mxn/files/setup @@ -0,0 +1,17 @@ +#!/bin/bash + +/usr/local/bin/open_intf.inst +vconfig add ens1 100 +vconfig set_flag ens1.100 1 1 +ifconfig ens1.100 192.168.100.5 netmask 255.255.255.0 up + +vconfig add ens1 200 +vconfig set_flag ens1.200 1 1 +ifconfig ens1.200 192.168.200.5 netmask 255.255.255.0 up + +echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6 + +/usr/local/testpoint/testpoint.sh start full & + +echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 +echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6 diff --git a/roles/tsg-env-mxn/files/stop b/roles/tsg-env-mxn/files/stop new file mode 100644 index 0000000..2dab2aa --- /dev/null +++ b/roles/tsg-env-mxn/files/stop @@ -0,0 +1,5 @@ +#!/bin/sh +echo 0 > /sys/class/net/ens1/device/sriov_numvfs +ifconfig ens1.100 down +vconfig rem ens1.100 +ifconfig ens1 down \ No newline at end of file diff --git a/roles/tsg-env-mxn/files/tsg-env.service b/roles/tsg-env-mxn/files/tsg-env.service new file mode 100644 index 0000000..f3ba0a4 --- /dev/null +++ b/roles/tsg-env-mxn/files/tsg-env.service @@ -0,0 +1,13 @@ +[Unit] +Description=tsg sled-mxn env init +Requires=network.target +After=network.target + +[Service] +ExecStart=/opt/tsg/env/setup +ExecStop=/opt/tsg/env/stop +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/tsg-env-mxn/tasks/main.yml b/roles/tsg-env-mxn/tasks/main.yml new file mode 100644 index 0000000..36a1b6a --- /dev/null +++ b/roles/tsg-env-mxn/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: "copy setup script" + copy: + src: "{{ role_path }}/files/setup" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy stop script" + copy: + src: "{{ role_path }}/files/stop" + dest: "/opt/tsg/env/" + mode: 0755 + +- name: "copy tsg-env.service" + copy: + src: "{{ role_path }}/files/tsg-env.service" + dest: "/usr/lib/systemd/system/" + mode: 0644 + +- name: "enable tsg-env" + systemd: + name: tsg-env + enabled: yes + daemon_reload: yes + +- name: "Template PM1.13_vlan_mac_flipping_saved_startup" + template: + src: "{{ role_path }}/templates/PM1.13_vlan_mac_flipping_saved_startup" + dest: /usr/local/testpoint/perl/Config/libertyTrail/saved_startup + when: tsg_access_type == 2 + + diff --git a/roles/tsg-env-mxn/templates/PM1.13_inline_access_saved_startup b/roles/tsg-env-mxn/templates/PM1.13_inline_access_saved_startup new file mode 100644 index 0000000..afcb444 --- /dev/null +++ b/roles/tsg-env-mxn/templates/PM1.13_inline_access_saved_startup @@ -0,0 +1,148 @@ +# TestPoint History +load ./Config/libertyTrail/testpoint_startup + +add vlan port 1 0 + +create vlan 100 +add vlan port 100 0,11,37,39,41,43 +set port config 11 pvid 100 +set port config 11 mask 0,37,39,41,43 +set port config 0,11,39,37,41,43 learning on + +create vlan 200 +add vlan port 200 0,37,39,9,10,41,43 +set port config 0 mask 9..44 +set port config 37 mask 0..36,38..44 +set port config 39 mask 0..38,40..44 +set port config 41 mask 0..40,42..44 +set port config 43 mask 0..44 +set port config 0,39,37,41,43 learning on + +create vlan 1000 +add vlan port 1000 43 +create vlan 1001 +add vlan port 1001 43 + +create lag +add lag 9261 9,10 +add vlan port 200 9261 +set port config 9261 pvid 200 +set port config 9261 parser_cfg L4 +set port config 9261 learning on +set port config 9261 mask 0,11..44 + +create vlan all +create lag +add vlan port all 43 +add lag 9293 1,2,3,4 +add vlan port all 9293 +set port config 9293 parser_cfg L4 +set port config 9293 learning on +set port config 9293 mask 0,5..44 +set vlan tagging all 1,2,3,4 tag +set vlan tagging 1 1,2,3,4 untag + +create lag +add lag 9325 5,6,7,8 +add vlan port all 9325 +set port config 9325 parser_cfg L4 +set port config 9325 learning on +set port config 9325 mask 0..4,9..44 +set vlan tagging all 5,6,7,8 tag +set vlan tagging 1 5,6,7,8 untag + +set port 37,39,41,43 powerdown +set port 37,39,41,43 up +set port 1..36 up + +set port config 11 parser_cfg L4 +set port config 37..44 parser_cfg L4 + +set port config 11..36 max_frame_size 15360 +set switch reserved_mac all switch + +set switch config hashing l234 use_smac on +set switch config hashing l234 use_dmac on +set switch config hashing l234 use_l34 on +set switch config hashing l34 use_dip on +set switch config hashing l34 use_sip on +set switch config hashing l234 symmetric on +set switch config hashing l34 symmetric on + + +set port config 9261,9293,9325 max_frame_size 15360 +create acl 1 + +create acl-rule 1 61 +add acl-rule condition 1 61 src-glort 0x5803 +add acl-rule condition 1 61 vlan 1000 +add acl-rule action 1 61 redirect 7220 +add acl-rule action 1 61 vlan 1 + +create acl-rule 1 62 +add acl-rule condition 1 62 src-glort 0x5803 +add acl-rule condition 1 62 vlan 1001 +add acl-rule action 1 62 redirect 7213 +add acl-rule action 1 62 vlan 1 + +create acl-rule 1 100 +add acl-rule condition 1 100 src-glort 0x5803 +add acl-rule action 1 100 redirect 9293 + +create acl-rule 1 101 +add acl-rule condition 1 101 src-port 1 +add acl-rule action 1 101 redirect 7216 +create acl-rule 1 102 +add acl-rule condition 1 102 src-port 2 +add acl-rule action 1 102 redirect 7216 +create acl-rule 1 103 +add acl-rule condition 1 103 src-port 3 +add acl-rule action 1 103 redirect 7216 +create acl-rule 1 104 +add acl-rule condition 1 104 src-port 4 +add acl-rule action 1 104 redirect 7216 + +create acl-rule 1 200 +add acl-rule condition 1 200 src-glort 0x5804 +add acl-rule action 1 200 redirect 6189 +create acl-rule 1 201 +add acl-rule condition 1 201 src-glort 0x5805 +add acl-rule action 1 201 redirect 5165 +create acl-rule 1 202 +add acl-rule condition 1 202 src-glort 0x5806 +add acl-rule action 1 202 redirect 4141 +create acl-rule 1 203 +add acl-rule condition 1 203 src-glort 0x5000 +add acl-rule action 1 203 redirect 7217 +create acl-rule 1 204 +add acl-rule condition 1 204 src-glort 0x4800 +add acl-rule action 1 204 redirect 7218 +create acl-rule 1 205 +add acl-rule condition 1 205 src-glort 0x4000 +add acl-rule action 1 205 redirect 7219 + +create acl-rule 1 301 +add acl-rule condition 1 301 src-glort 0x5807 +add acl-rule action 1 301 redirect 7216 +add acl-rule action 1 301 vlan 1000 + +create acl-rule 1 302 +add acl-rule condition 1 302 src-glort 0x5800 +add acl-rule action 1 302 redirect 7216 +add acl-rule action 1 302 vlan 1001 + +create acl-rule 1 401 +add acl-rule condition 1 401 src-glort 0x5001 +add acl-rule action 1 401 redirect 9325 +create acl-rule 1 402 +add acl-rule condition 1 402 src-glort 0x4801 +add acl-rule action 1 402 redirect 9325 +create acl-rule 1 403 +add acl-rule condition 1 403 src-glort 0x4001 +add acl-rule action 1 403 redirect 9325 +create acl-rule 1 404 +add acl-rule condition 1 404 src-glort 0x5801 +add acl-rule action 1 404 redirect 9325 + +apply acl +remote listen diff --git a/roles/tsg-env-mxn/templates/PM1.13_vlan_mac_flipping_saved_startup b/roles/tsg-env-mxn/templates/PM1.13_vlan_mac_flipping_saved_startup new file mode 100644 index 0000000..36ad018 --- /dev/null +++ b/roles/tsg-env-mxn/templates/PM1.13_vlan_mac_flipping_saved_startup @@ -0,0 +1,347 @@ +# TestPoint History +load ./Config/libertyTrail/testpoint_startup + +add vlan port 1 0 + +create vlan 100 +add vlan port 100 0,11,37,39,41,43 +set port config 11 pvid 100 +set port config 11 mask 0,37,39,41,43 +set port config 0,11,39,37,41,43 learning on + +create vlan 200 +add vlan port 200 0,37,39,9,10,41,43 +set port config 0 mask 9..44 +set port config 37 mask 0..36,38..44 +set port config 39 mask 0..38,40..44 +set port config 41 mask 0..40,42..44 +set port config 43 mask 0..44 +set port config 0,39,37,41,43 learning on + +create vlan 4000 +add vlan port 4000 43 +create vlan 4001 +add vlan port 4001 43 + +create lag +add lag 9261 9,10 +add vlan port 200 9261 +set port config 9261 pvid 200 +set port config 9261 parser_cfg L4 +set port config 9261 learning on +set port config 9261 mask 0,11..44 + +create vlan all +create lag +add vlan port all 43 +add lag 9293 1,2,3,4 +add vlan port all 9293 +set port config 9293 parser_cfg L4 +set port config 9293 learning on +set port config 9293 mask 0,5..44 +set vlan tagging all 1,2,3,4 tag +set vlan tagging 1 1,2,3,4 untag + +create lag +add lag 9325 5,6,7,8 +add vlan port all 9325 +set port config 9325 parser_cfg L4 +set port config 9325 learning on +set port config 9325 mask 0..4,9..44 +set vlan tagging all 5,6,7,8 tag +set vlan tagging 1 5,6,7,8 untag + +set port 37,39,41,43 powerdown +set port 37,39,41,43 up +set port 1..36 up + +set port config 11 parser_cfg L4 +set port config 37..44 parser_cfg L4 + +set port config 11..36 max_frame_size 15360 +set switch reserved_mac all switch + +set switch config hashing l234 use_smac on +set switch config hashing l234 use_dmac on +set switch config hashing l234 use_l34 on +set switch config hashing l34 use_dip on +set switch config hashing l34 use_sip on +set switch config hashing l234 symmetric on +set switch config hashing l34 symmetric on + + +set port config 9261,9293,9325 max_frame_size 15360 +create acl 1 + +# Redirect all ARP request to ens1f2 +create acl-rule 1 40 +add acl-rule condition 1 40 src-port 1 +add acl-rule condition 1 40 ethtype 0x0806 +add acl-rule action 1 40 redirect 7214 + +create acl-rule 1 41 +add acl-rule condition 1 41 src-port 2 +add acl-rule condition 1 41 ethtype 0x0806 +add acl-rule action 1 41 redirect 7214 + +create acl-rule 1 42 +add acl-rule condition 1 42 src-port 3 +add acl-rule condition 1 42 ethtype 0x0806 +add acl-rule action 1 42 redirect 7214 + +create acl-rule 1 43 +add acl-rule condition 1 43 src-port 4 +add acl-rule condition 1 43 ethtype 0x0806 +add acl-rule action 1 43 redirect 7214 + +# Redirect all ICMPv4 to ens1f2 -- 10.0.0.0/8 +create acl-rule 1 44 +add acl-rule condition 1 44 src-port 1 +add acl-rule condition 1 44 protocol 0x1/0xff +add acl-rule condition 1 44 sip 10.0.0.0/8 +add acl-rule condition 1 44 dip 10.0.0.0/8 +add acl-rule action 1 44 redirect 7214 + +create acl-rule 1 45 +add acl-rule condition 1 45 src-port 2 +add acl-rule condition 1 45 protocol 0x1/0xff3 +add acl-rule condition 1 45 sip 10.0.0.0/8 +add acl-rule condition 1 45 dip 10.0.0.0/8 +add acl-rule action 1 45 redirect 7214 + +create acl-rule 1 46 +add acl-rule condition 1 46 src-port 3 +add acl-rule condition 1 46 protocol 0x1/0xff +add acl-rule condition 1 46 sip 10.0.0.0/8 +add acl-rule condition 1 46 dip 10.0.0.0/8 +add acl-rule action 1 46 redirect 7214 + +create acl-rule 1 47 +add acl-rule condition 1 47 src-port 4 +add acl-rule condition 1 47 protocol 0x1/0xff +add acl-rule condition 1 47 sip 10.0.0.0/8 +add acl-rule condition 1 47 dip 10.0.0.0/8 +add acl-rule action 1 47 redirect 7214 + +# Redirect all ICMPv4 to ens1f2 -- 192.168.0.0/16 +create acl-rule 1 48 +add acl-rule condition 1 48 src-port 1 +add acl-rule condition 1 48 protocol 0x1/0xff +add acl-rule condition 1 48 sip 192.168.0.0/16 +add acl-rule condition 1 48 dip 192.168.0.0/16 +add acl-rule action 1 48 redirect 7214 + +create acl-rule 1 49 +add acl-rule condition 1 49 src-port 2 +add acl-rule condition 1 49 protocol 0x1/0xff3 +add acl-rule condition 1 49 sip 192.168.0.0/16 +add acl-rule condition 1 49 dip 192.168.0.0/16 +add acl-rule action 1 49 redirect 7214 + +create acl-rule 1 50 +add acl-rule condition 1 50 src-port 3 +add acl-rule condition 1 50 protocol 0x1/0xff +add acl-rule condition 1 50 sip 192.168.0.0/16 +add acl-rule condition 1 50 dip 192.168.0.0/16 +add acl-rule action 1 50 redirect 7214 + +create acl-rule 1 51 +add acl-rule condition 1 51 src-port 4 +add acl-rule condition 1 51 protocol 0x1/0xff +add acl-rule condition 1 51 sip 192.168.0.0/16 +add acl-rule condition 1 51 dip 192.168.0.0/16 +add acl-rule action 1 51 redirect 7214 + +# Redirect all TCP with port 51218, for health check - 192.168.0.0/24 +create acl-rule 1 60 +add acl-rule condition 1 60 src-port 1 +add acl-rule condition 1 60 protocol 0x6/0xff +add acl-rule condition 1 60 sip 192.168.0.0/16 +add acl-rule condition 1 60 dip 192.168.0.0/16 +add acl-rule condition 1 60 l4-dst-port 51218/0xffff +add acl-rule action 1 60 redirect 7214 + +create acl-rule 1 61 +add acl-rule condition 1 61 src-port 2 +add acl-rule condition 1 61 protocol 0x6/0xff +add acl-rule condition 1 61 sip 192.168.0.0/16 +add acl-rule condition 1 61 dip 192.168.0.0/16 +add acl-rule condition 1 61 l4-dst-port 51218/0xffff +add acl-rule action 1 61 redirect 7214 + +create acl-rule 1 62 +add acl-rule condition 1 62 src-port 3 +add acl-rule condition 1 62 protocol 0x6/0xff +add acl-rule condition 1 62 sip 192.168.0.0/16 +add acl-rule condition 1 62 dip 192.168.0.0/16 +add acl-rule condition 1 62 l4-dst-port 51218/0xffff +add acl-rule action 1 62 redirect 7214 + +create acl-rule 1 63 +add acl-rule condition 1 63 src-port 4 +add acl-rule condition 1 63 protocol 0x6/0xff +add acl-rule condition 1 63 sip 192.168.0.0/16 +add acl-rule condition 1 63 dip 192.168.0.0/16 +add acl-rule condition 1 63 l4-dst-port 51218/0xffff +add acl-rule action 1 63 redirect 7214 + +# Redirect all TCP with port 51218, for health check - 10.0.0.0/8 +create acl-rule 1 64 +add acl-rule condition 1 64 src-port 1 +add acl-rule condition 1 64 protocol 0x6/0xff +add acl-rule condition 1 64 sip 10.0.0.0/8 +add acl-rule condition 1 64 dip 10.0.0.0/8 +add acl-rule condition 1 64 l4-dst-port 51218/0xffff +add acl-rule action 1 64 redirect 7214 + +create acl-rule 1 65 +add acl-rule condition 1 65 src-port 2 +add acl-rule condition 1 65 protocol 0x6/0xff +add acl-rule condition 1 65 sip 10.0.0.0/8 +add acl-rule condition 1 65 dip 10.0.0.0/8 +add acl-rule condition 1 65 l4-dst-port 51218/0xffff +add acl-rule action 1 65 redirect 7214 + +create acl-rule 1 66 +add acl-rule condition 1 66 src-port 3 +add acl-rule condition 1 66 protocol 0x6/0xff +add acl-rule condition 1 66 sip 10.0.0.0/8 +add acl-rule condition 1 66 dip 10.0.0.0/8 +add acl-rule condition 1 66 l4-dst-port 51218/0xffff +add acl-rule action 1 66 redirect 7214 + +create acl-rule 1 67 +add acl-rule condition 1 67 src-port 4 +add acl-rule condition 1 67 protocol 0x6/0xff +add acl-rule condition 1 67 sip 10.0.0.0/8 +add acl-rule condition 1 67 dip 10.0.0.0/8 +add acl-rule condition 1 67 l4-dst-port 51218/0xffff +add acl-rule action 1 67 redirect 7214 + +# Redirect all ICMPv6 link-scope packets +create acl-rule 1 70 +add acl-rule condition 1 70 src-port 1 +add acl-rule condition 1 70 frame-type ipv6 +add acl-rule condition 1 70 ttl 255 +add acl-rule action 1 70 redirect 7214 + +create acl-rule 1 71 +add acl-rule condition 1 71 src-port 2 +add acl-rule condition 1 71 frame-type ipv6 +add acl-rule condition 1 71 ttl 255 +add acl-rule action 1 71 redirect 7214 + +create acl-rule 1 72 +add acl-rule condition 1 72 src-port 3 +add acl-rule condition 1 72 frame-type ipv6 +add acl-rule condition 1 72 ttl 255 +add acl-rule action 1 72 redirect 7214 + +create acl-rule 1 73 +add acl-rule condition 1 73 src-port 4 +add acl-rule condition 1 73 frame-type ipv6 +add acl-rule condition 1 73 ttl 255 +add acl-rule action 1 73 redirect 7214 + +create acl-rule 1 74 +add acl-rule condition 1 74 src-port 1 +add acl-rule condition 1 74 frame-type ipv6 +add acl-rule condition 1 74 sip fc00::/7 +add acl-rule condition 1 74 dip fc00::/7 +add acl-rule action 1 74 redirect 7214 + +create acl-rule 1 75 +add acl-rule condition 1 75 src-port 2 +add acl-rule condition 1 75 frame-type ipv6 +add acl-rule condition 1 75 sip fc00::/7 +add acl-rule condition 1 75 dip fc00::/7 +add acl-rule action 1 75 redirect 7214 + +create acl-rule 1 76 +add acl-rule condition 1 76 src-port 3 +add acl-rule condition 1 76 frame-type ipv6 +add acl-rule condition 1 76 sip fc00::/7 +add acl-rule condition 1 76 dip fc00::/7 +add acl-rule action 1 76 redirect 7214 + +create acl-rule 1 77 +add acl-rule condition 1 77 src-port 4 +add acl-rule condition 1 77 frame-type ipv6 +add acl-rule condition 1 77 sip fc00::/7 +add acl-rule condition 1 77 dip fc00::/7 +add acl-rule action 1 77 redirect 7214 + +create acl-rule 1 80 +add acl-rule condition 1 80 src-glort 0x5801 +add acl-rule action 1 80 redirect 9293 + +create acl-rule 1 90 +add acl-rule condition 1 90 src-glort 0x5803 +add acl-rule condition 1 90 vlan 4000 +add acl-rule action 1 90 redirect 7220 +add acl-rule action 1 90 vlan 1 + +create acl-rule 1 91 +add acl-rule condition 1 91 src-glort 0x5803 +add acl-rule condition 1 91 vlan 4001 +add acl-rule action 1 91 redirect 7213 +add acl-rule action 1 91 vlan 1 + +create acl-rule 1 100 +add acl-rule condition 1 100 src-glort 0x5803 +add acl-rule action 1 100 redirect 9293 + +create acl-rule 1 101 +add acl-rule condition 1 101 src-port 1 +add acl-rule action 1 101 redirect 7216 +create acl-rule 1 102 +add acl-rule condition 1 102 src-port 2 +add acl-rule action 1 102 redirect 7216 +create acl-rule 1 103 +add acl-rule condition 1 103 src-port 3 +add acl-rule action 1 103 redirect 7216 +create acl-rule 1 104 +add acl-rule condition 1 104 src-port 4 +add acl-rule action 1 104 redirect 7216 + +create acl-rule 1 200 +add acl-rule condition 1 200 src-glort 0x5804 +add acl-rule action 1 200 redirect 6189 +create acl-rule 1 201 +add acl-rule condition 1 201 src-glort 0x5805 +add acl-rule action 1 201 redirect 5165 +create acl-rule 1 202 +add acl-rule condition 1 202 src-glort 0x5806 +add acl-rule action 1 202 redirect 4141 +create acl-rule 1 203 +add acl-rule condition 1 203 src-glort 0x5000 +add acl-rule action 1 203 redirect 7217 +create acl-rule 1 204 +add acl-rule condition 1 204 src-glort 0x4800 +add acl-rule action 1 204 redirect 7218 +create acl-rule 1 205 +add acl-rule condition 1 205 src-glort 0x4000 +add acl-rule action 1 205 redirect 7219 + +create acl-rule 1 301 +add acl-rule condition 1 301 src-glort 0x5807 +add acl-rule action 1 301 redirect 7216 +add acl-rule action 1 301 vlan 4000 + +create acl-rule 1 302 +add acl-rule condition 1 302 src-glort 0x5800 +add acl-rule action 1 302 redirect 7216 +add acl-rule action 1 302 vlan 4001 + +create acl-rule 1 401 +add acl-rule condition 1 401 src-glort 0x5001 +add acl-rule action 1 401 redirect 9325 +create acl-rule 1 402 +add acl-rule condition 1 402 src-glort 0x4801 +add acl-rule action 1 402 redirect 9325 +create acl-rule 1 403 +add acl-rule condition 1 403 src-glort 0x4001 +add acl-rule action 1 403 redirect 9325 + +apply acl +remote listen diff --git a/roles/tsg-env-tun-mode/files/tsg-env-tun-mode.service b/roles/tsg-env-tun-mode/files/tsg-env-tun-mode.service new file mode 100644 index 0000000..841a2aa --- /dev/null +++ b/roles/tsg-env-tun-mode/files/tsg-env-tun-mode.service @@ -0,0 +1,15 @@ +[Unit] +Description=tsg tun mode env init +Requires=network.target +After=network.target +Before=mrenv.service + +[Service] +ExecStart=/opt/tsg/env/setup +ExecStop=/opt/tsg/env/tsg-env_stop +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +RequiredBy=mrenv.service diff --git a/roles/tsg-env-tun-mode/files/vconfig-1.9-16.el7.x86_64.rpm b/roles/tsg-env-tun-mode/files/vconfig-1.9-16.el7.x86_64.rpm new file mode 100644 index 0000000..19310d6 Binary files /dev/null and b/roles/tsg-env-tun-mode/files/vconfig-1.9-16.el7.x86_64.rpm differ diff --git a/roles/tsg-env-tun-mode/tasks/main.yml b/roles/tsg-env-tun-mode/tasks/main.yml new file mode 100644 index 0000000..b8cd49f --- /dev/null +++ b/roles/tsg-env-tun-mode/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: "copy vconfig-1.9-16.el7.x86_64.rpm" + copy: + src: "{{ role_path }}/files/vconfig-1.9-16.el7.x86_64.rpm" + dest: /tmp + +- name: "create /opt/tsg/env" + file: + path: /opt/tsg/env + state: directory + +- name: "template setup script" + template: + src: "{{ role_path }}/templates/setup.j2" + dest: "/opt/tsg/env/setup" + mode: 0755 + +- name: "copy tsg-env-tun-mode.service" + copy: + src: "{{ role_path }}/files/tsg-env-tun-mode.service" + dest: "/usr/lib/systemd/system/" + mode: 0644 + +- name: "template tsg-env_stop" + template: + src: "{{ role_path }}/templates/tsg-env_stop.j2" + dest: "/opt/tsg/env/tsg-env_stop" + mode: 0755 + +- name: "install vconfig rpms from localhost" + yum: + name: + - /tmp/vconfig-1.9-16.el7.x86_64.rpm + state: present + +- name: "enable tsg-env-tun-mode" + systemd: + name: tsg-env-tun-mode + enabled: yes + daemon_reload: yes + diff --git a/roles/tsg-env-tun-mode/templates/setup.j2 b/roles/tsg-env-tun-mode/templates/setup.j2 new file mode 100644 index 0000000..9a333cb --- /dev/null +++ b/roles/tsg-env-tun-mode/templates/setup.j2 @@ -0,0 +1,27 @@ +#!/bin/bash +modprobe 8021q +vconfig add {{ nic_mgr.name }} 100 +vconfig set_flag {{ nic_mgr.name }}.100 1 1 +ifconfig {{ nic_mgr.name }}.100 192.168.100.1 netmask 255.255.255.0 up +{% if tsg_access_type == 0 %} +ethtool -K {{ packet_io.internal_interface }} tso off +ethtool -K {{ packet_io.internal_interface }} gso off +ethtool -K {{ packet_io.internal_interface }} gro off +ethtool -K {{ packet_io.external_interface }} tso off +ethtool -K {{ packet_io.external_interface }} gso off +ethtool -K {{ packet_io.external_interface }} gro off +{% elif tsg_access_type == 4 %} +echo 3 > /sys/class/net/{{ ATCA_data_incoming.ethname }}/device/sriov_numvfs +ip link set {{ ATCA_data_incoming.ethname }} vf 1 vlan 4095 +ip link set {{ ATCA_data_incoming.ethname }} vf 2 vlan 4095 +ip link set {{ ATCA_data_incoming.ethname }} vf 0 trust on +ip link set {{ ATCA_data_incoming.ethname }} vf 1 trust on +ip link set {{ ATCA_data_incoming.ethname }} vf 2 trust on +ip link set {{ ATCA_data_incoming.ethname }} vf 1 mac 00:0e:c6:d6:72:c1 +ip link set {{ ATCA_data_incoming.ethname }} vf 2 mac fe:65:b7:03:50:bd +ip link set {{ ATCA_data_incoming.ethname }} vf 0 spoofchk off +ip link set {{ ATCA_data_incoming.vf0_name }} up +ip link set {{ ATCA_data_incoming.vf1_name }} up +ip link set {{ ATCA_data_incoming.vf2_name }} up +{% endif %} + diff --git a/roles/tsg-env-tun-mode/templates/tsg-env_stop.j2 b/roles/tsg-env-tun-mode/templates/tsg-env_stop.j2 new file mode 100644 index 0000000..0b20d1b --- /dev/null +++ b/roles/tsg-env-tun-mode/templates/tsg-env_stop.j2 @@ -0,0 +1,8 @@ +#!/bin/bash +# +echo 0 >/sys/class/net/{{ nic_mgr.name }}/device/sriov_numvfs +ifconfig {{ nic_mgr.name }}.100 down +vconfig rem {{ nic_mgr.name }}.100 +{% if tsg_access_type == 4 %} +echo 0 >/sys/class/net/{{ ATCA_data_incoming.ethname }}/device/sriov_numvfs +{% endif %} diff --git a/roles/tsg_app/files/app_control_plug-1.0.3.447fc53-2.el7.x86_64.rpm b/roles/tsg_app/files/app_control_plug-1.0.3.447fc53-2.el7.x86_64.rpm new file mode 100644 index 0000000..ad7245b Binary files /dev/null and b/roles/tsg_app/files/app_control_plug-1.0.3.447fc53-2.el7.x86_64.rpm differ diff --git a/roles/tsg_app/files/app_master-1.0.5.5a4fb22-2.el7.x86_64.rpm b/roles/tsg_app/files/app_master-1.0.5.5a4fb22-2.el7.x86_64.rpm new file mode 100644 index 0000000..ac66184 Binary files /dev/null and b/roles/tsg_app/files/app_master-1.0.5.5a4fb22-2.el7.x86_64.rpm differ diff --git a/roles/tsg_app/files/app_proto_identify-1.0.5.5c5342a-2.el7.x86_64.rpm b/roles/tsg_app/files/app_proto_identify-1.0.5.5c5342a-2.el7.x86_64.rpm new file mode 100644 index 0000000..9ff8f49 Binary files /dev/null and b/roles/tsg_app/files/app_proto_identify-1.0.5.5c5342a-2.el7.x86_64.rpm differ diff --git a/roles/tsg_app/files/app_sketch_local-1.0.4.0edaf58-2.el7.x86_64.rpm b/roles/tsg_app/files/app_sketch_local-1.0.4.0edaf58-2.el7.x86_64.rpm new file mode 100644 index 0000000..e7cda10 Binary files /dev/null and b/roles/tsg_app/files/app_sketch_local-1.0.4.0edaf58-2.el7.x86_64.rpm differ diff --git a/roles/tsg_app/tasks/main.yml b/roles/tsg_app/tasks/main.yml new file mode 100644 index 0000000..c47f274 --- /dev/null +++ b/roles/tsg_app/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: "copy tsg_app rpms to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install tsg_app packages" + yum: + name: "{{ app_packages }}" + state: present + skip_broken: yes + vars: + app_packages: + - /tmp/ansible_deploy/app_master-1.0.5.5a4fb22-2.el7.x86_64.rpm + - /tmp/ansible_deploy/app_control_plug-1.0.3.447fc53-2.el7.x86_64.rpm + - /tmp/ansible_deploy/app_proto_identify-1.0.5.5c5342a-2.el7.x86_64.rpm + - /tmp/ansible_deploy/app_sketch_local-1.0.4.0edaf58-2.el7.x86_64.rpm + when: tsg_app_enable == 1 + +- name: "mkdir appconf" + file: + path: /home/mesasoft/sapp_run/appconf + state: directory + when: tsg_app_enable == 1 + +- name: "Template the appconf/main.conf" + template: + src: "{{ role_path }}/templates/main.conf.j2" + dest: /home/mesasoft/sapp_run/appconf/main.conf + tags: template + when: tsg_app_enable == 1 + +- name: "Template the appconf/maat.conf" + template: + src: "{{ role_path }}/templates/maat.conf.j2" + dest: /home/mesasoft/sapp_run/appconf/maat.conf + tags: template + when: tsg_app_enable == 1 diff --git a/roles/tsg_app/templates/maat.conf.j2 b/roles/tsg_app/templates/maat.conf.j2 new file mode 100644 index 0000000..7f9e78f --- /dev/null +++ b/roles/tsg_app/templates/maat.conf.j2 @@ -0,0 +1,34 @@ +[APP_SIGNATURE_MAAT] +MAAT_MODE=2 +STAT_SWITCH=1 +PERF_SWITCH=1 +TABLE_INFO=appconf/app_id_tableinfo.conf +STAT_FILE=app_id_maat.status +EFFECT_INTERVAL_S=1 +REDIS_IP={{ maat_redis_server.address }} +REDIS_PORT_NUM=1 +REDIS_PORT={{ maat_redis_server.port }} +REDIS_INDEX={{ maat_redis_server.db }} +JSON_CFG_FILE=appconf/app_id_maat.json +INC_CFG_DIR=apprule/inc/index/ +FULL_CFG_DIR=apprule/full/index/ +EFFECTIVE_RANGE_FILE=/opt/app/etc/app_device_tag.json + +[APP_ACTION_MAAT] +MAAT_MODE=2 +STAT_SWITCH=1 +PERF_SWITCH=1 +TABLE_INFO=appconf/app_action_tableinfo.conf +STAT_FILE=app_action_maat.status +EFFECT_INTERVAL_S=1 +REDIS_IP={{ maat_redis_server.address }} +REDIS_PORT_NUM=1 +REDIS_PORT={{ maat_redis_server.port }} +REDIS_INDEX={{ maat_redis_server.db }} +JSON_CFG_FILE=appconf/app_action_maat.json +INC_CFG_DIR=apprule/inc/index/ +FULL_CFG_DIR=apprule/full/index/ +EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json + +[MAAT] +ACCEPT_TAGS={"tags":[{"tag":"device_id","value":"device_1"}]} diff --git a/roles/tsg_app/templates/main.conf.j2 b/roles/tsg_app/templates/main.conf.j2 new file mode 100644 index 0000000..07dd20a --- /dev/null +++ b/roles/tsg_app/templates/main.conf.j2 @@ -0,0 +1,39 @@ +[FEEDBACK] +QOS=1 +PUBLISH_TOPIC=APP_SIGNATURE_ID +#CLIENT_ID= +BROKER_LIST=tcp://{{ app_global_ip }}:1883 + +[LUA] +ENABLE=1 + +[MAAT] +PROFILE=./appconf/maat.conf + +[APP_LOG] +MODE=1 +LOG_LEVEL={{ applog_level }} +LOG_PATH=./applog/applog +BROKER_LIST={{ log_kafkabrokers.address }} +COMMON_FIELD_FILE=appconf/app_log_field.conf + +[FIELD_STAT] +CYCLE=5 +TELEGRAF_PORT=8100 +TELEGRAF_IP=127.0.0.1 +OUTPUT_PATH=./app_stat.log +APP_NAME=app_master + +[SYSTEM] +LOG_LEVEL={{ app_master_log_level }} +LOG_PATH=./applog/app_master +NIC_NAME={{ nic_mgr.name }} + +[APP_SKETCH_LOCAL] +LOG_LEVEL={{ app_sketch_local_log_level }} +LOG_PATH=./applog/app_sketch_local/app_sketch_local + +[CONTROL_PLUG] +LOG_LEVEL={{ app_control_plug_log_level }} +LOG_PATH=./applog/app_control_plug/app_control_plug + diff --git a/roles/tsg_device_tag/tasks/main.yml b/roles/tsg_device_tag/tasks/main.yml new file mode 100644 index 0000000..c26450b --- /dev/null +++ b/roles/tsg_device_tag/tasks/main.yml @@ -0,0 +1,9 @@ +- name: "create /opt/tsg/etc/" + file: + path: /opt/tsg/etc + state: directory + +- name: "Template tsg_device_tag.json" + template: + src: "{{ role_path }}/templates/tsg_device_tag.json.j2" + dest: /opt/tsg/etc/tsg_device_tag.json diff --git a/roles/tsg_device_tag/templates/tsg_device_tag.json.j2 b/roles/tsg_device_tag/templates/tsg_device_tag.json.j2 new file mode 100644 index 0000000..38c9b0b --- /dev/null +++ b/roles/tsg_device_tag/templates/tsg_device_tag.json.j2 @@ -0,0 +1,2 @@ +[MAAT] +ACCEPT_TAGS={"tags":[{"tag":"device_id","value":"{{ device_id }}"}]} diff --git a/roles/tsg_master/files/tsg_master-3.3.4.d27a197-2.el7.x86_64.rpm b/roles/tsg_master/files/tsg_master-3.3.4.d27a197-2.el7.x86_64.rpm new file mode 100644 index 0000000..1b928f7 Binary files /dev/null and b/roles/tsg_master/files/tsg_master-3.3.4.d27a197-2.el7.x86_64.rpm differ diff --git a/roles/tsg_master/tasks/main.yml b/roles/tsg_master/tasks/main.yml new file mode 100644 index 0000000..818dd6c --- /dev/null +++ b/roles/tsg_master/tasks/main.yml @@ -0,0 +1,11 @@ +- name: "copy tsg_master rpm to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install tsg_master from localhost" + yum: + name: + - /tmp/ansible_deploy/tsg_master-3.3.4.d27a197-2.el7.x86_64.rpm + state: present + skip_broken: yes diff --git a/uninstall/roles/backup_framework_config/tasks/main.yml b/uninstall/roles/backup_framework_config/tasks/main.yml new file mode 100644 index 0000000..d5f9e32 --- /dev/null +++ b/uninstall/roles/backup_framework_config/tasks/main.yml @@ -0,0 +1,21 @@ +- name: "create backup_dest_path" + file: + path: "{{ backup_dest_path }}" + state: directory + ignore_errors: true + +- name: "optMESA_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/optMESA_{{ uninstall_version }}_{{ date }}.zip" + register: optMESA_directory + ignore_errors: true + +- name: "backup /opt/MESA to destination path" + archive: + path: /opt/MESA + dest: "{{ backup_dest_path }}/optMESA_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - optMESA_directory.rc != 0 + - backup.framework == 1 + ignore_errors: true + diff --git a/uninstall/roles/backup_marsio_config/tasks/main.yml b/uninstall/roles/backup_marsio_config/tasks/main.yml new file mode 100644 index 0000000..2b58b52 --- /dev/null +++ b/uninstall/roles/backup_marsio_config/tasks/main.yml @@ -0,0 +1,20 @@ +- name: "create backup_dest_path" + file: + path: "{{ backup_dest_path }}" + state: directory + ignore_errors: true + +- name: "mrzcpd_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/mrzcpd_{{ uninstall_version }}_{{ date }}.zip" + register: mrzcpd_directory + ignore_errors: true + +- name: "backup /opt/mrzcpd to destination path" + archive: + path: /opt/mrzcpd + dest: "{{ backup_dest_path }}/mrzcpd_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - mrzcpd_directory.rc != 0 + - backup.marsio == 1 + ignore_errors: true diff --git a/uninstall/roles/backup_sapp_config/tasks/main.yml b/uninstall/roles/backup_sapp_config/tasks/main.yml new file mode 100644 index 0000000..c24b22c --- /dev/null +++ b/uninstall/roles/backup_sapp_config/tasks/main.yml @@ -0,0 +1,82 @@ +- name: "create backup_dest_path" + file: + path: "{{ backup_dest_path }}" + state: directory + ignore_errors: true + +- name: "sapp_etc_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/sapp_etc_{{ uninstall_version }}_{{ date }}.zip" + register: sapp_etc + ignore_errors: true + +- name: "sapp_plug_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/sapp_plug_{{ uninstall_version }}_{{ date }}.zip" + register: sapp_plug + ignore_errors: true + +- name: "sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip" + register: sapp_tsgconf + ignore_errors: true + +- name: "sapp_appconf_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/sapp_appconf_{{ uninstall_version }}_{{ date }}.zip" + register: sapp_appconf + ignore_errors: true + +- name: "sapp_conf_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/sapp_conf_{{ uninstall_version }}_{{ date }}.zip" + register: sapp_conf + ignore_errors: true + +- name: "backup sapp_run/etc to destination path" + archive: + path: /home/mesasoft/sapp_run/etc + dest: "{{ backup_dest_path }}/sapp_etc_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - sapp_etc.rc != 0 + - backup.sapp_etc == 1 + ignore_errors: true + +- name: "backup sapp_run/plug to destination path" + archive: + path: /home/mesasoft/sapp_run/plug + dest: "{{ backup_dest_path }}/sapp_plug_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - sapp_plug.rc != 0 + - backup.sapp_plug == 1 + ignore_errors: true + +- name: "backup sapp_run/tsgconf/ to destination path" + archive: + path: /home/mesasoft/sapp_run/tsgconf + dest: "{{ backup_dest_path }}/sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - sapp_tsgconf.rc != 0 + - backup.sapp_tsgconf == 1 + ignore_errors: true + +- name: "backup sapp_run/appconf/ to destination path" + archive: + path: /home/mesasoft/sapp_run/appconf + dest: "{{ backup_dest_path }}/sapp_appconf_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - sapp_appconf.rc != 0 + - backup.sapp_appconf == 1 + ignore_errors: true + +- name: "backup sapp_run/conf/ to destination path" + archive: + path: /home/mesasoft/sapp_run/conf + dest: "{{ backup_dest_path }}/sapp_conf_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - sapp_conf.rc != 0 + - backup.sapp_conf == 1 + ignore_errors: true + + diff --git a/uninstall/roles/backup_tfe_config/tasks/main.yml b/uninstall/roles/backup_tfe_config/tasks/main.yml new file mode 100644 index 0000000..01f97bd --- /dev/null +++ b/uninstall/roles/backup_tfe_config/tasks/main.yml @@ -0,0 +1,20 @@ +- name: "create backup_dest_path" + file: + path: "{{ backup_dest_path }}" + state: directory + ignore_errors: true + +- name: "tfe_conf_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/tfe_conf_{{ uninstall_version }}_{{ date }}.zip" + register: tfeconf_directory + ignore_errors: true + +- name: "backup /opt/tsg/tfe/conf to destination path" + archive: + path: /opt/tsg/tfe/conf + dest: "{{ backup_dest_path }}/tfe_conf_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - tfeconf_directory.rc != 0 + - backup.tfe == 1 + ignore_errors: true diff --git a/uninstall/roles/backup_tsgenv_config/tasks/main.yml b/uninstall/roles/backup_tsgenv_config/tasks/main.yml new file mode 100644 index 0000000..15735d1 --- /dev/null +++ b/uninstall/roles/backup_tsgenv_config/tasks/main.yml @@ -0,0 +1,20 @@ +- name: "create backup_dest_path" + file: + path: "{{ backup_dest_path }}" + state: directory + ignore_errors: true + +- name: "tsg_env_{{ uninstall_version }}_{{ date }}.zip exist?" + shell: "ls {{ backup_dest_path }}/tsg_env_{{ uninstall_version }}_{{ date }}.zip" + register: tsgenv_directory + ignore_errors: true + +- name: "backup /opt/tsg/env to destination path" + archive: + path: /opt/tsg/env + dest: "{{ backup_dest_path }}/tsg_env_{{ uninstall_version }}_{{ date }}.zip" + format: zip + when: + - tsgenv_directory.rc != 0 + - backup.tsg_env == 1 + ignore_errors: true diff --git a/uninstall/roles/cert_redis/tasks/main.yml b/uninstall/roles/cert_redis/tasks/main.yml new file mode 100644 index 0000000..537be5e --- /dev/null +++ b/uninstall/roles/cert_redis/tasks/main.yml @@ -0,0 +1,7 @@ +- name: "[uninstall cert_redis] stop cert-redis" + systemd: + name: cert-redis + state: stopped + enabled: no + when: uninstall.certredis == 1 + ignore_errors: true diff --git a/uninstall/roles/certstore/tasks/main.yml b/uninstall/roles/certstore/tasks/main.yml new file mode 100644 index 0000000..96284d7 --- /dev/null +++ b/uninstall/roles/certstore/tasks/main.yml @@ -0,0 +1,16 @@ +- name: "[uninstall certstore] stop certstore" + systemd: + name: certstore + state: stopped + enabled: no + when: + - uninstall.certstore == 1 + ignore_errors: true + +- name: "[uninstall certstore] uninstall certstore" + yum: + name: + - "{{ certstore }}" + state: absent + when: uninstall.certstore == 1 + diff --git a/uninstall/roles/clotho/tasks/main.yml b/uninstall/roles/clotho/tasks/main.yml new file mode 100644 index 0000000..2ae1a72 --- /dev/null +++ b/uninstall/roles/clotho/tasks/main.yml @@ -0,0 +1,16 @@ +#################### +#Uninstall clotho +- name: "[uninstall clotho] stop clotho" + systemd: + name: clotho + state: stopped + enabled: no + when: uninstall.clotho == 1 + ignore_errors: true + +- name: "[uninstall clotho] uninstall clotho" + yum: + name: + - "{{ clotho }}" + state: absent + when: uninstall.clotho == 1 diff --git a/uninstall/roles/firewall/tasks/main.yml b/uninstall/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..c83b6be --- /dev/null +++ b/uninstall/roles/firewall/tasks/main.yml @@ -0,0 +1,72 @@ +#################### +#Uninstall firewall +- name: "[uninstall firewall] stop sapp" + systemd: + name: sapp + state: stopped + enabled: no + when: + - uninstall.firewall == 1 + ignore_errors: true + +- name: "[uninstall firewall] create /home/mesasoft/sapp_runetc/" + file: + path: /home/mesasoft/sapp_runetc/ + state: directory + when: uninstall.firewall == 1 + +- name: "[uninstall firewall] create entrylist.conf" + file: + path: /home/mesasoft/sapp_runetc/entrylist.conf + state: touch + when: uninstall.firewall == 1 + +- name: "[uninstall firewall] uninstall firewall" + yum: + name: + - "{{ capture_packet_plug }}" + - "{{ dns }}" + - "{{ ftp }}" + - "{{ http }}" + - "{{ quic }}" + - "{{ ssl }}" + - "{{ mail }}" + - "{{ fw_dns }}" + - "{{ fw_ftp }}" + - "{{ fw_http }}" + - "{{ fw_ssl }}" + - "{{ fw_mail }}" + state: absent + when: uninstall.firewall == 1 + +- name: "[uninstall firewall] uninstall fw_quic" + yum: + name: + - "{{ fw_quic }}" + state: absent + when: uninstall.firewall == 1 + ignore_errors: true + +- name: "[uninstall firewall] uninstall tsg_conn_record" + yum: + name: + - "{{ tsg_conn_record }}" + state: absent + when: uninstall.firewall == 1 + ignore_errors: true + +- name: "[uninstall firewall] uninstall tsg_conn_sketch" + yum: + name: + - "{{ tsg_conn_sketch }}" + state: absent + when: uninstall.firewall == 1 + ignore_errors: true + + +- name: "[uninstall firewall] remove /home/mesasoft/sapp_runetc" + file: + path: /home/mesasoft/sapp_runetc + state: absent + when: uninstall.firewall == 1 + diff --git a/uninstall/roles/framework/tasks/main.yml b/uninstall/roles/framework/tasks/main.yml new file mode 100644 index 0000000..2b5b54d --- /dev/null +++ b/uninstall/roles/framework/tasks/main.yml @@ -0,0 +1,40 @@ +- name: "[uninstall framework] create project_list.conf" + file: + path: /home/mesasoft/sapp_run/etc/project_list.conf + state: touch + when: uninstall.framework == 1 + ignore_errors: true + +- name: "[uninstall framework] create conflist.inf" + file: + path: /home/mesasoft/sapp_run/plug/conflist.inf + state: touch + when: uninstall.framework == 1 + ignore_errors: true + +- name: "[uninstall framework] uninstall framework" + yum: + name: + - "{{ libcjson }}" + - "{{ libdocument }}" + - "{{ libmaatframe }}" + - "{{ libMESA_field_stat }}" + - "{{ libMESA_field_stat2 }}" + - "{{ libMESA_handle_logger }}" + - "{{ libMESA_htable }}" + - "{{ libMESA_prof_load }}" + - "{{ librdkafka }}" + - "{{ librulescan }}" + - "{{ libwiredcfg }}" + - "{{ libWiredLB }}" + - "{{ lz4 }}" + state: absent + when: uninstall.framework == 1 + +- name: "[uninstall framework] uninstall framework" + yum: + name: + - "{{ libtsglua }}" + state: absent + when: uninstall.framework == 1 + ignore_errors: true diff --git a/uninstall/roles/http_healthcheck/tasks/main.yml b/uninstall/roles/http_healthcheck/tasks/main.yml new file mode 100644 index 0000000..93f8a8a --- /dev/null +++ b/uninstall/roles/http_healthcheck/tasks/main.yml @@ -0,0 +1,9 @@ +#################### +#Uninstall http_healthcheck +- name: "[uninstall http_healthcheck] uninstall http_healthcheck" + yum: + name: + - "{{ http_healthcheck }}" + state: absent + when: uninstall.http_healthcheck == 1 + diff --git a/uninstall/roles/kernel/tasks/main.yml b/uninstall/roles/kernel/tasks/main.yml new file mode 100644 index 0000000..ed6ee75 --- /dev/null +++ b/uninstall/roles/kernel/tasks/main.yml @@ -0,0 +1,23 @@ +#################### +#Uninstall Kernel +- name: "[uninstall kernel] reset default kernel" + shell: grub2-set-default '{{ origin_kernel }}' + when: uninstall.kernel == 1 + +- name: "[uninstall kernel] reboot" + reboot: + when: uninstall.kernel == 1 + +- name: "[uninstall kernel] uninstall tfe-kmod and kernel" + yum: + name: + - "{{ tfe_kmod }}" + - "{{ dkms }}" + - "{{ kernel_ml }}" + - "{{ kernel_ml_devel }}" + - "{{ elfutils_libelf_devel }}" + - "{{ zlib_devel }}" + state: absent + when: uninstall.kernel == 1 + ignore_errors: true + diff --git a/uninstall/roles/kni/tasks/main.yml b/uninstall/roles/kni/tasks/main.yml new file mode 100644 index 0000000..f4db718 --- /dev/null +++ b/uninstall/roles/kni/tasks/main.yml @@ -0,0 +1,18 @@ +#################### +#Uninstall kni +- name: "[uninstall kni] stop sapp" + systemd: + name: sapp + state: stopped + enabled: no + when: + - uninstall.kni == 1 + ignore_errors: true + +- name: "[uninstall kni] uninstall kni" + yum: + name: + - "{{ kni }}" + state: absent + when: uninstall.kni == 1 + diff --git a/uninstall/roles/marsio/tasks/main.yml b/uninstall/roles/marsio/tasks/main.yml new file mode 100644 index 0000000..d245b99 --- /dev/null +++ b/uninstall/roles/marsio/tasks/main.yml @@ -0,0 +1,26 @@ +#################### +#Uninstall Marsio +- name: "[uninstall marsio] stop mrzcpd" + systemd: + name: mrzcpd + state: stopped + enabled: no + when: + - uninstall.marsio == 1 + ignore_errors: true + +- name: "[uninstall marsio] stop mrtunnat" + systemd: + name: mrtunnat + state: stopped + enabled: no + when: + - uninstall.marsio == 1 + ignore_errors: true + +- name: "[uninstall marsio] uninstall mrzcpd" + yum: + name: + - "{{ mrzcpd }}" + state: absent + when: uninstall.marsio == 1 diff --git a/uninstall/roles/package_list/20.06.1.yml b/uninstall/roles/package_list/20.06.1.yml new file mode 100644 index 0000000..8195c49 --- /dev/null +++ b/uninstall/roles/package_list/20.06.1.yml @@ -0,0 +1,82 @@ +#################### +#marsio +mrzcpd: mrzcpd-4.3.21.26314ca-1.el7.x86_64 + +#################### +#kernel +origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) +#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 + +kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 +kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 +dkms: dkms-2.7.1-1.el7.noarch +elfutils_libelf_devel: null +pkgconfig: null +zlib_devel: null + +#################### +#framework +libcjson: libcjson-1.7.8.542ad7f-1.x86_64 +libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 +libmaatframe: libmaatframe-2.9.2.7519c63-1.x86_64 +libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 +libMESA_field_stat2: libMESA_field_stat2-2.9.0.16ecf3b-1.x86_64 +libMESA_handle_logger: libMESA_handle_logger-1.0.9.304259e-1.x86_64 +libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 +libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 +librdkafka: librdkafka-0.11.4-1.el7.x86_64 +librulescan: librulescan-2.2.0.900d2b3-1.x86_64 +libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 +libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 +lz4: lz4-1.7.5-3.el7.x86_64 + +#################### +#sapp +sapp: sapp-4.0.14.91cbc1b-1.x86_64 + +#################### +#tsg_master +tsg_master: tsg_master-1.3.3.65833d7-1.x86_64 + +#################### +#kni +kni: kni-20.06-1.el7.x86_64 + +#################### +#firewall +capture_packet_plug: capture_packet_plug-debug-1.0.0.-1.el7.x86_64 +dns: dns-2.0.2.5effe72-1.x86_64 +ftp: ftp-1.0.4.5d3a283-1.x86_64 +http: http-2.0.1.e8f12ee-1.x86_64 +quic: quic-1.1.4.9c2e0ba-1.x86_64 +ssl: ssl-1.0.0.73e5273-1.x86_64 +mail: mail-1.0.3.cbc6034-1.x86_64 +fw_dns: fw_dns_plug-debug-1.0.3.ea8e0f6-1.el7.centos.x86_64 +fw_ftp: fw_ftp_plug-1.1.0.74c9a05-1.x86_6 +fw_http: fw_http_plug-1.2.0.a7e63c0-1.x86_64 +fw_quic: fw_quic_plug-1.0.1.e8cded4-1.x86_64 +fw_ssl: fw_ssl_plug-1.0.3.30fcf35-1.x86_64 +fw_mail: fw_mail_plug-1.1.0.a42c5a0-1.x86_64 +tsg_conn_record: tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64 +tsg_conn_sketch: null + +#################### +#tfe +tfe: tfe-4.3.5.0db794c-1.el7.x86_64 +tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch + +#################### +#http_healthcheck +http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 + +##################### +#clotho +clotho: clotho-debug-1.0.0.-1.el7.x86_64 + +##################### +#certstore +certstore: certstore-2.1.2.0f61dde-1.el7.centos.x86_64 + +##################### +#telegraf +telegraf_statistic: telegraf-1.13.0-1.x86_64 diff --git a/uninstall/roles/package_list/20.07.rc1.yml b/uninstall/roles/package_list/20.07.rc1.yml new file mode 100644 index 0000000..45c4ed1 --- /dev/null +++ b/uninstall/roles/package_list/20.07.rc1.yml @@ -0,0 +1,82 @@ +#################### +#marsio +mrzcpd: mrzcpd-4.3.25.d88306e-1.el7.x86_64 + +#################### +#kernel +origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) +#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 + +kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 +kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 +dkms: dkms-2.7.1-1.el7.noarch +elfutils_libelf_devel: null +pkgconfig: null +zlib_devel: null + +#################### +#framework +libcjson: libcjson-1.7.8.542ad7f-1.x86_64 +libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 +libmaatframe: libmaatframe-3.0.2.dc1fced-1.x86_64 +libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 +libMESA_field_stat2: libMESA_field_stat2-2.9.0.16ecf3b-1.x86_64 +libMESA_handle_logger: libMESA_handle_logger-1.0.9.304259e-1.x86_64 +libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 +libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 +librdkafka: librdkafka-0.11.4-1.el7.x86_64 +librulescan: librulescan-2.2.0.900d2b3-1.x86_64 +libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 +libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 +lz4: lz4-1.7.5-3.el7.x86_64 + +#################### +#sapp +sapp: sapp-4.0.18.bb2effd-1.x86_64 + +#################### +#tsg_master +tsg_master: tsg_master-3.0.3.3c9cf15-1.x86_64 + +#################### +#kni +kni: kni-20.07-1.el7.x86_64 + +#################### +#firewall +capture_packet_plug: capture_packet_plug-3.0.2.09f193c-1.x86_64 +dns: dns-2.0.6.d8317e9-1.x86_64 +ftp: ftp-1.0.6.2710506-1.x86_64 +http: http-2.0.3.9218b4b-1.x86_64 +quic: quic-1.1.6.d6755d8-1.x86_64 +ssl: ssl-1.0.3.e8482a4-1.x86_64 +mail: mail-1.0.7.9e3be05-1.x86_64 +fw_dns: fw_dns_plug-3.0.0.0a5d574-1.x86_64 +fw_ftp: fw_ftp_plug-3.0.0.7a867ea-1.x86_64 +fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64 +fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64 +fw_ssl: fw_ssl_plug-3.0.0.3a29c3f-1.x86_64 +fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64 +tsg_conn_record: tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64 +tsg_conn_sketch: tsg_conn_sketch-2.0.v2.0_alpha.af621ca-1.x86_64 + +#################### +#tfe +tfe: tfe-4.3.7.39bff00-1.el7.x86_64 +tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch + +#################### +#http_healthcheck +http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 + +##################### +#clotho +clotho: clotho-debug-1.0.0.-1.el7.x86_64 + +##################### +#certstore +certstore: certstore-2.1.2.0f61dde-1.el7.centos.x86_64 + +##################### +#telegraf +telegraf_statistic: telegraf-1.13.0-1.x86_64 diff --git a/uninstall/roles/package_list/20.07.yml b/uninstall/roles/package_list/20.07.yml new file mode 100644 index 0000000..35eaac5 --- /dev/null +++ b/uninstall/roles/package_list/20.07.yml @@ -0,0 +1,82 @@ +#################### +#marsio +mrzcpd: mrzcpd-4.3.25.d88306e-1.el7.x86_64 + +#################### +#kernel +origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) +#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 + +kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 +kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 +dkms: dkms-2.7.1-1.el7.noarch +elfutils_libelf_devel: null +pkgconfig: null +zlib_devel: null + +#################### +#framework +libcjson: libcjson-1.7.8.542ad7f-1.x86_64 +libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 +libmaatframe: libmaatframe-3.0.2.dc1fced-1.x86_64 +libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 +libMESA_field_stat2: libMESA_field_stat2-2.9.0.16ecf3b-1.x86_64 +libMESA_handle_logger: libMESA_handle_logger-1.0.9.304259e-1.x86_64 +libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 +libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 +librdkafka: librdkafka-0.11.4-1.el7.x86_64 +librulescan: librulescan-2.2.0.900d2b3-1.x86_64 +libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 +libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 +lz4: lz4-1.7.5-3.el7.x86_64 + +#################### +#sapp +sapp: sapp-4.0.18.bb2effd-1.x86_64 + +#################### +#tsg_master +tsg_master: tsg_master-3.0.4.40fa047-1.x86_64 + +#################### +#kni +kni: kni-20.07-1.el7.x86_64 + +#################### +#firewall +capture_packet_plug: capture_packet_plug-3.0.2.09f193c-1.x86_64 +dns: dns-2.0.6.d8317e9-1.x86_64 +ftp: ftp-1.0.6.2710506-1.x86_64 +http: http-2.0.3.9218b4b-1.x86_64 +quic: quic-1.1.6.d6755d8-1.x86_64 +ssl: ssl-1.0.3.e8482a4-1.x86_64 +mail: mail-1.0.7.9e3be05-1.x86_64 +fw_dns: fw_dns_plug-3.0.0.0a5d574-1.x86_64 +fw_ftp: fw_ftp_plug-3.0.0.7a867ea-1.x86_64 +fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64 +fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64 +fw_ssl: fw_ssl_plug-3.0.1.7ea9976-1.x86_64 +fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64 +tsg_conn_record: tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64 +tsg_conn_sketch: tsg_conn_sketch-2.0.v2.0_alpha.af621ca-1.x86_64 + +#################### +#tfe +tfe: tfe-4.3.8.11b62a2-1.el7.x86_64 +tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch + +#################### +#http_healthcheck +http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 + +##################### +#clotho +clotho: clotho-debug-1.0.0.-1.el7.x86_64 + +##################### +#certstore +certstore: certstore-2.1.2.0f61dde-1.el7.centos.x86_64 + +##################### +#telegraf +telegraf_statistic: telegraf-1.13.0-1.x86_64 diff --git a/uninstall/roles/package_list/20.08.yml b/uninstall/roles/package_list/20.08.yml new file mode 100644 index 0000000..b716573 --- /dev/null +++ b/uninstall/roles/package_list/20.08.yml @@ -0,0 +1,82 @@ +#################### +#marsio +mrzcpd: mrzcpd-4.3.25.d88306e-1.el7.x86_64 + +#################### +#kernel +origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) +#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 + +kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 +kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 +dkms: dkms-2.7.1-1.el7.noarch +elfutils_libelf_devel: elfutils-libelf-devel-0.168-8.el7.x86_64 +pkgconfig: pkgconfig-0.27.1-4.el7.x86_64 +zlib_devel: zlib-devel-1.2.7-17.el7.x86_64 + +#################### +#framework +libcjson: libcjson-1.7.8.542ad7f-1.x86_64 +libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 +libmaatframe: libmaatframe-3.0.3.5931b44-1.x86_64 +libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 +libMESA_field_stat2: libMESA_field_stat2-2.9.0.16ecf3b-1.x86_64 +libMESA_handle_logger: libMESA_handle_logger-1.0.9.304259e-1.x86_64 +libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 +libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 +librdkafka: librdkafka-0.11.4-1.el7.x86_64 +librulescan: librulescan-2.2.0.900d2b3-1.x86_64 +libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 +libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 +lz4: lz4-1.7.5-3.el7.x86_64 + +#################### +#sapp +sapp: sapp-4.0.20.b59c12a-1.x86_64 + +#################### +#tsg_master +tsg_master: tsg_master-3.1.2.7002e1b-1.x86_64 + +#################### +#kni +kni: kni-20.07-1.el7.x86_64 + +#################### +#firewall +capture_packet_plug: capture_packet_plug-3.0.2.09f193c-1.x86_64 +dns: dns-2.0.6.d8317e9-1.x86_64 +ftp: ftp-1.0.6.2710506-1.x86_64 +http: http-2.0.3.9218b4b-1.x86_64 +quic: quic-1.1.6.d6755d8-1.x86_64 +ssl: ssl-1.0.3.e8482a4-1.x86_64 +mail: mail-1.0.7.9e3be05-1.x86_64 +fw_dns: fw_dns_plug-3.0.0.0a5d574-1.x86_64 +fw_ftp: fw_ftp_plug-3.0.0.7a867ea-1.x86_64 +fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64 +fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64 +fw_ssl: fw_ssl_plug-3.0.1.7ea9976-1.x86_64 +fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64 +tsg_conn_record: tsg_conn_record-1.0.2.2afb19a-1.x86_64 +tsg_conn_sketch: tsg_conn_sketch-2.0.v2.0_alpha.af621ca-1.x86_64 + +#################### +#tfe +tfe: tfe-4.3.9.4d7957e-1.el7.x86_64 +tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch + +#################### +#http_healthcheck +http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 + +##################### +#clotho +clotho: clotho-debug-1.0.0.-1.el7.x86_64 + +##################### +#certstore +certstore: certstore-2.1.2.20200828.f507b3e-1.el7.x86_64 + +##################### +#telegraf +telegraf_statistic: telegraf-1.13.0-1.x86_64 diff --git a/uninstall/roles/package_list/20.09.yml b/uninstall/roles/package_list/20.09.yml new file mode 100644 index 0000000..c8a26ed --- /dev/null +++ b/uninstall/roles/package_list/20.09.yml @@ -0,0 +1,93 @@ +#################### +#marsio +mrzcpd: mrzcpd-4.3.25.d88306e-1.el7.x86_64 + +#################### +#kernel +origin_kernel: CentOS Linux (3.10.0-693.el7.x86_64) 7 (Core) +#默认为CentOS 7.4内核,如果系统版本变更,请手动更改origin_kernel值 + +kernel_ml: kernel-ml-5.1.8-1.el7.elrepo.x86_64 +kernel_ml_devel: kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64 +dkms: dkms-2.7.1-1.el7.noarch +elfutils_libelf_devel: elfutils-libelf-devel-0.168-8.el7.x86_64 +pkgconfig: pkgconfig-0.27.1-4.el7.x86_64 +zlib_devel: zlib-devel-1.2.7-17.el7.x86_64 + +#################### +#framework +libcjson: libcjson-1.7.8.542ad7f-1.x86_64 +libdocument: libdocumentanalyze-2.0.4.efdfc29-1.x86_64 +libmaatframe: libmaatframe-3.0.7.34de556-1.x86_64 +libMESA_field_stat: libMESA_field_stat-1.0.1.852c2df-1.x86_64 +libMESA_field_stat2: libMESA_field_stat2-2.9.1.d80b5fb-1.x86_64 +libMESA_handle_logger: libMESA_handle_logger-2.0.4.1502550-1.x86_64 +libMESA_htable: libMESA_htable-3.10.11.6275308-1.x86_64 +libMESA_prof_load: libMESA_prof_load-1.0.5.bf755de-1.x86_64 +librdkafka: librdkafka-0.11.4-1.el7.x86_64 +librulescan: librulescan-2.2.0.900d2b3-1.x86_64 +libwiredcfg: libwiredcfg-2.0.2.7ce1eea-1.x86_64 +libWiredLB: libWiredLB-2.0.3.c7d131b-1.x86_64 +lz4: lz4-1.7.5-3.el7.x86_64 +libtsglua: libtsglua-1.0.7.0864e4a-1.x86_64 + +#################### +#sapp +sapp: sapp-4.1.7.4f2839a-1.x86_64 + +#################### +#tsg_master +tsg_master: tsg_master-3.2.9.d1a6f00-1.x86_64 + +#################### +#kni +kni: kni-20.09-1.el7.x86_64 + +#################### +#firewall +capture_packet_plug: capture_packet_plug-3.0.2.09f193c-1.x86_64 +dns: dns-2.0.8.beb1d09-1.x86_64 +ftp: ftp-1.0.6.2710506-1.x86_64 +http: http-2.0.3.9218b4b-1.x86_64 +quic: quic-1.1.9.810857d-1.x86_64 +ssl: ssl-1.0.8.0068bd9-1.x86_64 +mail: mail-1.0.7.9e3be05-1.x86_64 +fw_dns: fw_dns_plug-3.0.1.453c533-1.x86_64 +fw_ftp: fw_ftp_plug-3.0.0.7a867ea-1.x86_64 +fw_http: fw_http_plug-3.0.0.1ca1c65-1.x86_64 +fw_quic: fw_quic_plug-3.0.0.b06d39c-1.x86_64 +fw_ssl: fw_ssl_plug-3.0.1.7ea9976-1.x86_64 +fw_mail: fw_mail_plug-3.0.0.3b4e481-1.x86_64 +tsg_conn_sketch: tsg_conn_sketch-2.0.5.63c1e51-1.x86_64 + +#################### +#Tsg_app +app_sketch_local: app_sketch_local-1.0.4.0edaf58-2.x86_64 +app_control_plug: app_control_plug-1.0.3.447fc53-2.x86_64 +app_proto_identify: app_proto_identify-1.0.3.6c893f2-2.x86_64 +app_master: app_master-1.0.4.d189dee-1.x86_64 + +#################### +#tfe +tfe: tfe-4.3.10.fb02543-1.el7.x86_64 +tfe_kmod: tfe-kmod-v1.0.5.20200408-1dkms.noarch + +#################### +#http_healthcheck +http_healthcheck: http_healthcheck-20.04-1.el7.x86_64 + +##################### +#clotho +clotho: clotho-debug-1.0.0.-1.el7.x86_64 + +##################### +#certstore +certstore: certstore-2.1.2.202009.87fcacf-1.el7.x86_64 + +##################### +#telegraf +telegraf_statistic: telegraf-1.13.0-1.x86_64 + +##################### +#tsg-diagnose +tsg-diagnose: tsg-diagnose-20.09-1.el7.x86_64 diff --git a/uninstall/roles/packet_dump/tasks/main.yml b/uninstall/roles/packet_dump/tasks/main.yml new file mode 100644 index 0000000..084df7e --- /dev/null +++ b/uninstall/roles/packet_dump/tasks/main.yml @@ -0,0 +1,16 @@ +#################### +#Uninstall packet_dump +- name: "[uninstall packet_dump] stop packet_dump" + systemd: + name: packet_dump + state: stopped + enabled: no + when: uninstall.packet_dump == 1 + ignore_errors: true + +- name: "[uninstall packet_dump] uninstall packet_dump" + yum: + name: + - "{{ packet_dump }}" + state: absent + when: uninstall.packet_dump == 1 diff --git a/uninstall/roles/remove_files/tasks/main.yml b/uninstall/roles/remove_files/tasks/main.yml new file mode 100644 index 0000000..c267635 --- /dev/null +++ b/uninstall/roles/remove_files/tasks/main.yml @@ -0,0 +1,96 @@ +- name: "remove /home/mesasoft/sapp_run" + file: + path: /home/mesasoft/sapp_run + state: absent + when: remove.sapp == 1 + ignore_errors: true + +- name: "remove sapp.service" + file: + path: /usr/lib/systemd/system/sapp.service + state: absent + when: remove.sapp == 1 + ignore_errors: true + +- name: "remove clotho files" + file: + path: /home/mesasoft/clotho + state: absent + when: remove.clotho == 1 + ignore_errors: true + +- name: "remove clotho.service" + file: + path: /usr/lib/systemd/system/clotho.service + state: absent + when: remove.clotho == 1 + ignore_errors: true + +- name: "remove http_healthcheck files" + file: + path: /home/mesasoft/http_healthcheck + state: absent + when: remove.http_healthcheck == 1 + ignore_errors: true + +- name: "remove telegraf_statistic files" + file: + path: /etc/telegraf/telegraf_statistic.conf + state: absent + when: remove.telegraf_statistic == 1 + ignore_errors: true + +- name: "remove /tmp/metrics.out" + file: + path: /tmp/metrics.out + state: absent + when: remove.telegraf_statistic == 1 + ignore_errors: true + +- name: "remove /home/tsg/certstore files" + file: + path: /home/tsg/certstore + state: absent + when: remove.certstore == 1 + ignore_errors: true + +- name: "remove /opt/tsg/certstore files" + file: + path: /opt/tsg/certstore + state: absent + when: remove.certstore == 1 + ignore_errors: true + +- name: "remove certstore.service" + file: + path: /usr/lib/systemd/system/certstore.service + state: absent + when: remove.certstore == 1 + ignore_errors: true + +- name: "remove /opt/tsg/cert-redis files" + file: + path: /opt/tsg/cert-redis + state: absent + when: remove.certredis == 1 + ignore_errors: true + +- name: "remove /home/tsg/cert-redis files" + file: + path: /home/tsg/cert-redis + state: absent + when: remove.certredis == 1 + ignore_errors: true + +- name: "remove /opt/proxy_status" + file: + path: /opt/proxy_status + state: absent + ignore_errors: true + +- name: "remove /tmp/ansible_deploy" + file: + path: /tmp/ansible_deploy + state: absent + ignore_errors: true + diff --git a/uninstall/roles/remove_framework_files/tasks/main.yml b/uninstall/roles/remove_framework_files/tasks/main.yml new file mode 100644 index 0000000..05f6975 --- /dev/null +++ b/uninstall/roles/remove_framework_files/tasks/main.yml @@ -0,0 +1,6 @@ +- name: "remove framework files" + file: + path: /opt/MESA + state: absent + when: remove.framework == 1 + ignore_errors: true diff --git a/uninstall/roles/remove_marsio_files/tasks/main.yml b/uninstall/roles/remove_marsio_files/tasks/main.yml new file mode 100644 index 0000000..2fc9d59 --- /dev/null +++ b/uninstall/roles/remove_marsio_files/tasks/main.yml @@ -0,0 +1,21 @@ +- name: "remove marsio files" + file: + path: /opt/mrzcpd + state: absent + when: remove.marsio == 1 + ignore_errors: true + +- name: "remove mrzcpd.service" + file: + path: /usr/lib/systemd/system/mrzcpd.service + state: absent + when: remove.marsio == 1 + ignore_errors: true + +- name: "remove mrtunnat.service" + file: + path: /usr/lib/systemd/system/mrtunnat.service + state: absent + when: remove.marsio == 1 + ignore_errors: true + diff --git a/uninstall/roles/remove_tfe_files/tasks/main.yml b/uninstall/roles/remove_tfe_files/tasks/main.yml new file mode 100644 index 0000000..b6b9788 --- /dev/null +++ b/uninstall/roles/remove_tfe_files/tasks/main.yml @@ -0,0 +1,28 @@ +- name: "remove /opt/tsg/tfe" + file: + path: /opt/tsg/tfe + state: absent + when: remove.tfe == 1 + ignore_errors: true + +- name: "remove tfe.service" + file: + path: /usr/lib/systemd/system/tfe.service + state: absent + when: remove.tfe == 1 + ignore_errors: true + +- name: "remove tfe-env.service" + file: + path: /usr/lib/systemd/system/tfe-env.service + state: absent + when: remove.tfe == 1 + ignore_errors: true + +- name: "remove tfe-env-tun-mode.service" + file: + path: /usr/lib/systemd/system/tfe-env-tun-mode.service + state: absent + when: remove.tfe == 1 + ignore_errors: true + diff --git a/uninstall/roles/sapp/tasks/main.yml b/uninstall/roles/sapp/tasks/main.yml new file mode 100644 index 0000000..88f00a3 --- /dev/null +++ b/uninstall/roles/sapp/tasks/main.yml @@ -0,0 +1,17 @@ +#################### +#Uninstall sapp +- name: "[uninstall sapp] stop sapp" + systemd: + name: sapp + state: stopped + enabled: no + when: + - uninstall.sapp == 1 + ignore_errors: true + +- name: "[uninstall sapp] uninstall sapp" + yum: + name: + - "{{ sapp }}" + state: absent + when: uninstall.sapp == 1 diff --git a/uninstall/roles/telegraf_statistic/tasks/main.yml b/uninstall/roles/telegraf_statistic/tasks/main.yml new file mode 100644 index 0000000..29d1e09 --- /dev/null +++ b/uninstall/roles/telegraf_statistic/tasks/main.yml @@ -0,0 +1,10 @@ +#################### +#Uninstall telegraf_statistic +- name: "[uninstall telegraf_statistic] stop telegraf_statistic" + systemd: + name: telegraf_statistic + state: stopped + enabled: no + when: uninstall.telegraf_statistic == 1 + ignore_errors: true + diff --git a/uninstall/roles/tfe/tasks/main.yml b/uninstall/roles/tfe/tasks/main.yml new file mode 100644 index 0000000..50bf1a2 --- /dev/null +++ b/uninstall/roles/tfe/tasks/main.yml @@ -0,0 +1,27 @@ +#################### +#Uninstall tfe +- name: "[uninstall tfe] stop tfe" + systemd: + name: tfe + state: stopped + enabled: no + when: + - uninstall.tfe == 1 + ignore_errors: true + +- name: "[uninstall tfe] stop tfe-env" + systemd: + name: tfe-env + state: stopped + enabled: no + when: + - uninstall.tfe == 1 + ignore_errors: true + +- name: "[uninstall tfe] uninstall tfe" + yum: + name: + - "{{ tfe }}" + - "{{ tfe_kmod }}" + state: absent + when: uninstall.tfe == 1 diff --git a/uninstall/roles/tsg_app/tasks/main.yml b/uninstall/roles/tsg_app/tasks/main.yml new file mode 100644 index 0000000..0ae8ff1 --- /dev/null +++ b/uninstall/roles/tsg_app/tasks/main.yml @@ -0,0 +1,24 @@ +#################### +#Tsg-app +- name: "[uninstall tsg-app] stop sapp" + systemd: + name: sapp + state: stopped + enabled: no + when: + - uninstall_version >= 20.09 + - uninstall.tsg_app == 1 + ignore_errors: true + +- name: "[uninstall tsg-app] uninstall tsg_app" + yum: + name: + - "{{ app_sketch_local }}" + - "{{ app_control_plug }}" + - "{{ app_proto_identify }}" + - "{{ app_master }}" + state: absent + when: + - uninstall_version >= 20.09 + - uninstall.tsg_app == 1 + diff --git a/uninstall/roles/tsg_master/tasks/main.yml b/uninstall/roles/tsg_master/tasks/main.yml new file mode 100644 index 0000000..9355339 --- /dev/null +++ b/uninstall/roles/tsg_master/tasks/main.yml @@ -0,0 +1,18 @@ +#################### +#Uninstall tsg_master +- name: "[uninstall tsg_master] stop sapp" + systemd: + name: sapp + state: stopped + enabled: no + when: + - uninstall.tsgmaster == 1 + ignore_errors: true + +- name: "[uninstall tsg_master] uninstall tsg_master" + yum: + name: + - "{{ tsg_master }}" + state: absent + when: uninstall.tsgmaster == 1 + diff --git a/uninstall/rpm_list.sh b/uninstall/rpm_list.sh new file mode 100644 index 0000000..7778703 --- /dev/null +++ b/uninstall/rpm_list.sh @@ -0,0 +1,136 @@ +#!/bin/bash +# +mrzcpd=`rpm -qa |grep ^mrzcpd` +libcjson=`rpm -qa |grep ^libcjson` +libdocument=`rpm -qa |grep ^libdocument` +libmaatframe=`rpm -qa |grep ^libmaatframe` +libMESA_field_stat=`rpm -qa |grep ^libMESA_field_stat-` +libMESA_field_stat2=`rpm -qa |grep ^libMESA_field_stat2` +libMESA_handle_logger=`rpm -qa |grep ^libMESA_handle_logger` +libMESA_htable=`rpm -qa |grep ^libMESA_htable` +libMESA_prof_load=`rpm -qa |grep ^libMESA_prof_load` +librdkafka=`rpm -qa |grep ^librdkafka` +librulescan=`rpm -qa |grep ^librulescan` +libwiredcfg=`rpm -qa |grep ^libwiredcfg` +libWiredLB=`rpm -qa |grep ^libWiredLB` +lz4=`rpm -qa |grep ^lz4` +libtsglua=`rpm -qa |grep ^libtsglua` +sapp=`rpm -qa |grep ^sapp` +tsg_master=`rpm -qa |grep ^tsg_master` +kni=`rpm -qa |grep ^kni` +capture_packet_plug=`rpm -qa |grep ^capture_packet_plug` +dns=`rpm -qa |grep ^dns-` +ftp=`rpm -qa |grep ^ftp-` +mail=`rpm -qa |grep ^mail-` +ssl=`rpm -qa |grep ^ssl-` +quic=`rpm -qa |grep ^quic-` +http=`rpm -qa |grep ^http-2` +fw_dns=`rpm -qa |grep ^fw_dns` +fw_ftp=`rpm -qa |grep ^fw_ftp` +fw_http=`rpm -qa |grep ^fw_http` +fw_quic=`rpm -qa |grep ^fw_quic` +fw_ssl=`rpm -qa |grep ^fw_ssl` +fw_mail=`rpm -qa |grep ^fw_mail` +tsg_conn_sketch=`rpm -qa |grep ^tsg_conn_sketch` +tsg_conn_record=`rpm -qa |grep ^tsg_conn_record` +app_sketch_local=`rpm -qa |grep ^app_sketch_local` +app_control_plug=`rpm -qa |grep ^app_control_plug` +app_proto_identify=`rpm -qa |grep ^app_proto_identify` +app_master=`rpm -qa |grep ^app_master` +tfe=`rpm -qa |grep ^tfe-4` +tfe_kmod=`rpm -qa |grep ^tfe-kmod` +http_healthcheck=`rpm -qa |grep ^http_healthcheck` +clotho=`rpm -qa |grep ^clotho` +packet_dump=`rpm -qa |grep ^packet_dump` +certstore=`rpm -qa |grep ^certstore` + + +cat > ./tsg_version.yml <