bugfix:增加部署过程中漏掉的ssl，fw_ssl_plug和修改部署过程中出现的错误

rpm包

adc_deploy.yml

@@ -18,17 +18,18 @@
     - {role: tsg_master, tags: tsg_master}
     - {role: kni, tags: kni}
     - {role: firewall, tags: firewall}
-#    - tsg_app
+    - {role: tsg_app, tags: tsg_app}
     - {role: http_healthcheck,tags: http_healthcheck}
     - {role: redis, tags: redis}
     - {role: cert-redis, tags: cert-redis}
     - {role: maat-redis, tags: maat-redis, when: deploy_mode == "cluster"}
     - {role: certstore, tags: certstore}
     - {role: telegraf_statistic, tags: telegraf_statistic}
-    - {role: app_proto_identify, tags: app_proto_identify}
     - {role: adc_exporter, tags: adc_exporter}
 #    - {role: switch_control, tags: switch_control}
     - {role: tsg-env-patch, tags: tsg-env-patch}
+    - {role: docker-env, tags: docker-env}
+    - {role: tsg-diagnose, tags: tsg-diagnose}
 
 - hosts: adc_mcn1
   remote_user: root
@@ -44,6 +45,7 @@
     - {role: adc_exporter, tags: adc_exporter}
 #    - {role: switch_control, tags: switch_control}
     - {role: tsg-env-patch, tags: tsg-env-patch}
+    - {role: tsg-diagnose_sync_ca, tags: tsg-diagnose_sync_ca}
 
 - hosts: adc_mcn2
   remote_user: root
@@ -59,6 +61,7 @@
     - {role: adc_exporter, tags: adc_exporter}
 #    - {role: switch_control, tags: switch_control}
     - {role: tsg-env-patch, tags: tsg-env-path}
+    - {role: tsg-diagnose_sync_ca, tags: tsg-diagnose_sync_ca}
 
 - hosts: adc_mcn3
   remote_user: root
@@ -70,10 +73,16 @@
     - {role: kernel-ml, tags: kernel-ml}
     - {role: mrzcpd, tags: mrzcpd}
     - {role: tfe, tags: tfe}
-#    - {role: adc_exporter, tags: adc_exporter}
-    - {role: switch_control, tags: switch_control}
+    - {role: adc_exporter, tags: adc_exporter}
+#    - {role: switch_control, tags: switch_control}
     - {role: tsg-env-patch, tags: tsg-env-patch}
-    
+    - {role: tsg-diagnose_sync_ca, tags: tsg-diagnose_sync_ca}
+
+- hosts: adc_mcn0
+  remote_user: root
+  roles:
+    - {role: tsg-diagnose_stop_sync, tags: tsg-diagnose_stop_sync}
+
 - hosts: packet_dump_server
   remote_user: root
   vars_files:
@@ -81,6 +90,7 @@
   roles:
     - {role: framework, tags: framework}
     - {role: packet_dump, tags: packet_dump}
+    - {role: dump_rtp_pcap, tags: dump_rtp_pcap}
 
 - hosts: app_global
   remote_user: root

install_config/group_vars/adc_global.yml

@@ -1,7 +1,7 @@
 #########################################
-#####1: Inline_device;  2: Allot;  3: ADC_Tun_mode;
+#####0: pcap; 1: Inline_device; 2: Allot;  3: ADC_Tun_mode;  4:ATCA_Vlan_Flipping 5:ATCA_VXLAN
 tsg_access_type: 2
-#####2: ADC;
+#####2: ADC;  0:Tun_mode; 1: normal;
 tsg_running_type: 2
 #####deploy mode: cluster, single
 deploy_mode: "cluster"
@@ -34,13 +34,18 @@ cert_store_server:
 log_kafkabrokers:
   address: ['1.1.1.1:9092','2.2.2.2:9092']
 
-log_minio:
-  address: "10.4.62.253"
-  port: 9090
+#log_minio:
+#  address: "10.4.62.253"
+#  port: 9090
+pangu_pxy:
+  log_cache:
+    address: "10.9.62.253"
+    port: 9090
 
 #########################################
 #Log Level Config
 #日志等级 10:DEBUG 20:INFO 30:FATAL
+fw_voip_log_level: 10
 fw_ftp_log_level: 10
 fw_mail_log_level: 10
 fw_http_log_level: 10
@@ -69,6 +74,9 @@ sapp:
   send_only_threads_max: 1
   bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43
   inbound_route_dir: 1
+  prometheus_enable: 1
+  prometheus_port: 9273
+  prometheus_url_path: "/metrics"
 
 ########################################
 #Kni Config
@@ -106,19 +114,42 @@ mrtunnat:
 
 #########################################
 #Tsg_app
-tsg_app_enable: 0
-app_global_ip: "1.1.1.1"
-applog_level: 10
-app_master_log_level: 10
-app_sketch_local_log_level: 10
-app_control_plug_log_level: 10
+tsg_app:
+  enable: 0
 
 breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595
 data_center: Kyzylorda
 tsg_master_entrance_id: 9
 nic_mgr: 
    name: em1
-   
-sapp_prometheus_enable: 1
-sapp_prometheus_port: 9273
-sapp_prometheus_url_path: "/metrics"
+
+firewall:
+  hos_serverip: "192.168.40.223"
+  hos_serverport: 9098
+  hos_accesskeyid: "default"
+  hos_secretkey: "default"
+  hos_poolsize: 100
+  hos_thread_sum: 32
+  hos_cache_size: 102400
+  hos_fs2_serverip: "127.0.0.1"
+  hos_fs2_serverport: 10086
+  APP_SKETCH_LOG_LEVEL: 10
+  APP_SKETCH_LOG_PATH: "./tsglog/app_sketch_local/app_sketch_local"
+  APP_SKETCH_L7_PROTOCOL_LABEL: "BASIC_PROTO_LABEL"
+  APP_SKETCH_QOS: 1
+  APP_SKETCH_PUBLISH_TOPIC: "APP_SIGNATURE_ID"
+  APP_SKETCH_BROKER_LIST: "tcp://192.168.40.161:1883"
+
+
+dump_rtp_pcap:
+  aws_access_key_id: "default"
+  aws_secret_access_key: "default"
+  aws_session_token: "c21f969b5f03d33d43e04f8f136e7682"
+  consume_bootstrap_servers: ['192.168.44.14:9092']
+  endpoint_url: "http://192.168.44.67:9098/hos/"
+  produce_bootstrap_servers: "192.168.44.14:9092"
+  queue_size: 5000000
+  coroutine_max_num: 200
+  coroutine_num: 100
+  qfull_mode: 0
+  qfull_interval: 5

install_config/group_vars/server_as_tun_mode.yml

@@ -45,13 +45,15 @@ cert_store_server:
 log_kafkabrokers:
   address: ['1.1.1.1:9092','2.2.2.2:9092']
 
-log_minio:
-  address: "10.9.62.253"
-  port: 9090
+
+#log_minio:
+#  address: "10.9.62.253"
+#  port: 9090
 
 #########################################
 #Log Level Config
 #日志等级 10:DEBUG 20:INFO 30:FATAL
+fw_voip_log_level: 10
 fw_ftp_log_level: 10
 fw_mail_log_level: 10
 fw_http_log_level: 10
@@ -80,6 +82,10 @@ sapp:
   send_only_threads_max: 1
   bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
   inbound_route_dir: 1
+  prometheus_enable: 1
+  prometheus_port: 9273
+  prometheus_url_path: "/metrics"
+
 
 #########################################
 #Sapp Double-Arm Config
@@ -120,16 +126,12 @@ mrtunnat:
 
 #########################################
 #Tsg_app
-tsg_app_enable: 1
-app_global_ip: "1.1.1.1"
-applog_level: 10
-app_master_log_level: 10
-app_sketch_local_log_level: 10
-app_control_plug_log_level: 10
+tsg_app:
+  enable: 1
 
 #########################################
 #ATCA Config
-#下列配置只在tsg_access_type=4时生效
+#下列配置只在tsg_access_type=4 or 5时生效
 ATCA_data_incoming:
   ethname: enp1s0
   vf0_name: enp1s2
@@ -161,6 +163,38 @@ breakpad_upload_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3556bac347
 data_center: Beijing
 tsg_master_entrance_id: 0
 
-sapp_prometheus_enable: 1
-sapp_prometheus_port: 9273
-sapp_prometheus_url_path: "/metrics"
+pangu_pxy:
+  log_cache:
+    address: "10.9.62.253"
+    port: 9090
+
+firewall:
+  hos_serverip: "192.168.40.223"
+  hos_serverport: 9098
+  hos_accesskeyid: "default"
+  hos_secretkey: "default"
+  hos_poolsize: 100
+  hos_thread_sum: 32
+  hos_cache_size: 102400
+  hos_fs2_serverip: "127.0.0.1"
+  hos_fs2_serverport: 10086
+  APP_SKETCH_LOG_LEVEL: 10
+  APP_SKETCH_LOG_PATH: "./tsglog/app_sketch_local/app_sketch_local"
+  APP_SKETCH_L7_PROTOCOL_LABEL: "BASIC_PROTO_LABEL"
+  APP_SKETCH_QOS: 1
+  APP_SKETCH_PUBLISH_TOPIC: "APP_SIGNATURE_ID"
+  APP_SKETCH_BROKER_LIST: "tcp://192.168.40.161:1883"
+
+
+dump_rtp_pcap:
+  aws_access_key_id: "default"
+  aws_secret_access_key: "default"
+  aws_session_token: "c21f969b5f03d33d43e04f8f136e7682"
+  consume_bootstrap_servers: ['192.168.44.14:9092']
+  endpoint_url: "http://192.168.44.67:9098/hos/"
+  produce_bootstrap_servers: "192.168.44.14:9092"
+  queue_size: 5000000
+  coroutine_max_num: 200
+  coroutine_num: 100
+  qfull_mode: 0
+  qfull_interval: 5

roles/app_proto_identify/tasks/main.yml

@@ -1,14 +0,0 @@
----
-- name: "copy app_proto_identify rpm package destination server"
-  copy:
-    src: "{{ role_path }}/files/"
-    dest: /tmp/ansible_deploy/
-
-- name: "install app_proto_identify"
-  yum:
-    name: "{{ app_packages }}"
-    state: present
-    skip_broken: yes
-  vars:
-    app_packages:
-      - /tmp/ansible_deploy/app_proto_identify-1.0.7.a5113ba-2.el7.x86_64.rpm

roles/certstore/tasks/main.yml

@@ -10,7 +10,7 @@
 - name: install certstore
   yum:
     name:
-      - /tmp/ansible_deploy/certstore-2.1.6.20201215.f2e9ba7-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/certstore-2.1.7.20210422.3f0c7ed-1.el7.x86_64.rpm
     state: present
 
 - name: template certstore configure file

roles/docker-env/files/daemon.json

@@ -0,0 +1 @@
+{"iptables":false,"bridge": "none"}

roles/docker-env/tasks/docker-ce.yml

@@ -0,0 +1,43 @@
+---
+- name: "docker-ce: copy docker-ce.zip to dest device"
+  copy:
+    src: '{{ role_path }}/files/docker-ce.zip'
+    dest: /tmp/ansible_deploy/
+    
+- name: "docker-ce: unarchive docker-ce.zip"
+  unarchive:
+    src: /tmp/ansible_deploy/docker-ce.zip
+    dest: /tmp/ansible_deploy/
+    remote_src: yes
+
+- name: "docker-ce: install docker-ce rpm package and dependencies"
+  yum:
+    name:
+      - /tmp/ansible_deploy/docker-ce/container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm
+      - /tmp/ansible_deploy/docker-ce/docker-ce-19.03.13-3.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/docker-ce-cli-19.03.13-3.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/containerd.io-1.3.7-3.1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/selinux-policy-targeted-3.13.1-266.el7_8.1.noarch.rpm
+      - /tmp/ansible_deploy/docker-ce/selinux-policy-3.13.1-266.el7_8.1.noarch.rpm
+      - /tmp/ansible_deploy/docker-ce/policycoreutils-python-2.5-34.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/policycoreutils-2.5-34.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/libselinux-utils-2.5-15.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/libselinux-python-2.5-15.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/libselinux-2.5-15.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/setools-libs-3.3.8-4.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/libsepol-2.5-10.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/libsemanage-python-2.5-14.el7.x86_64.rpm
+      - /tmp/ansible_deploy/docker-ce/libsemanage-2.5-14.el7.x86_64.rpm
+    state: present
+
+- name: "docker-ce: copy daemon.json to target"
+  copy:
+    src: '{{ role_path }}/files/daemon.json'
+    dest: /etc/docker/
+
+- name: "docker-ce: systemctl start docker and enabled docker"
+  systemd:
+    name: docker
+    enabled: yes
+    daemon_reload: yes
+    state: started

roles/docker-env/tasks/docker-compose.yml

@@ -0,0 +1,18 @@
+---
+- name: "docker-compose: copy docker-compose.zip to dest device"
+  copy:
+    src: '{{ role_path }}/files/docker-compose.zip'
+    dest: /tmp/ansible_deploy/
+
+- name: "docker-compose: unarchive docker-compose.zip"
+  unarchive:
+    src: /tmp/ansible_deploy/docker-compose.zip
+    dest: /tmp/ansible_deploy/
+    remote_src: yes
+
+- name: "docker-compose: install docker-compose using pip3"
+  pip:
+    requirements: /tmp/ansible_deploy/docker-compose/requirements.txt
+    extra_args: "--no-index --find-links=file:///tmp/ansible_deploy/docker-compose"
+    state: forcereinstall
+    executable: pip3

roles/docker-env/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- include: docker-ce.yml
+- include: python3.yml 
+- include: docker-compose.yml 

roles/docker-env/tasks/python3.yml

@@ -0,0 +1,21 @@
+---
+- name: "python3: copy python3.zip to dest device"
+  copy:
+    src: '{{ role_path }}/files/python3.zip'
+    dest: /tmp/ansible_deploy/
+    
+- name: "python3: unarchive python3.zip"
+  unarchive:
+    src: /tmp/ansible_deploy/python3.zip
+    dest: /tmp/ansible_deploy/
+    remote_src: yes
+
+- name: "python3: install python3 rpm package and dependencies"
+  yum:
+    name:
+      - /tmp/ansible_deploy/python3/python3-libs-3.6.8-13.el7.x86_64.rpm
+      - /tmp/ansible_deploy/python3/python3-3.6.8-13.el7.x86_64.rpm
+      - /tmp/ansible_deploy/python3/python3-pip-9.0.3-7.el7_7.noarch.rpm
+      - /tmp/ansible_deploy/python3/python3-setuptools-39.2.0-10.el7.noarch.rpm
+      - /tmp/ansible_deploy/python3/libtirpc-0.2.4-0.16.el7.x86_64.rpm
+    state: present

roles/dump_rtp_pcap/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: "dump-rtp-pcap: copy dump-rtp-pcap rpm package to destination"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "dump-rtp-pcap: install dump-rtp-pcap rpm from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/dump_rtp_pcap-1.0.2.445da24-2.el7.x86_64.rpm
+    state: present
+
+- name: "dump-rtp-pcap: Template the dump_rtp_pcap.json"
+  template:
+    src: "{{ role_path }}/templates/dump_rtp_pcap.json.j2"
+    dest: /home/mesasoft/dump_rtp_pcap/dump_rtp_pcap.json
+  tags: template
+ 
+- name: "start dump_rtp_pcap"
+  systemd:
+    name: dump_rtp_pcap.service
+    enabled: yes
+    daemon_reload: yes

roles/dump_rtp_pcap/templates/dump_rtp_pcap.json.j2

@@ -0,0 +1,23 @@
+{
+    "endian":"little",
+    "aws_access_key_id": "{{ dump_rtp_pcap.aws_access_key_id }}",
+    "aws_secret_access_key": "{{ dump_rtp_pcap.aws_secret_access_key }}",
+    "aws_session_token": "{{ dump_rtp_pcap.aws_session_token }}",
+    "bucket_name": "rtp-log",
+    "consume_auto_offset_reset":"latest",
+    "consume_bootstrap_servers": ["{{ dump_rtp_pcap.consume_bootstrap_servers | join("\",\"") }}"],
+    "consume_topic": "INTERNAL-RTP-LOG",
+    "endpoint_url": "{{ dump_rtp_pcap.endpoint_url }}",
+    "file_prefix":"rtp_log",
+    "group_id": "rtp-log-1",
+    "produce_bootstrap_servers": "{{ dump_rtp_pcap.produce_bootstrap_servers }}",
+    "produce_topic": "VOIP-RECORD-LOG",
+    "region_name": "us-east-1",
+    "save_speed_emit_interval":30,
+    "upload_speed_emit_interval":30,
+    "queue_size":{{ dump_rtp_pcap.queue_size }},
+    "coroutine_max_num":{{ dump_rtp_pcap.coroutine_max_num }},
+    "coroutine_num":{{ dump_rtp_pcap.coroutine_num }},
+    "qfull_mode":{{ dump_rtp_pcap.qfull_mode }},
+    "qfull_interval":{{ dump_rtp_pcap.qfull_interval }}
+}

roles/firewall/tasks/main.yml

@@ -13,20 +13,25 @@
     fw_packages:
       - /tmp/ansible_deploy/capture_packet_plug-3.0.6.a2db4a4-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/dns-2.0.9.b639626-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/dns-2.0.11.2265b5c-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_dns_plug-3.0.5.2a25c20-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_http_plug-3.0.4.484b54d-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_mail_plug-3.0.2.7401550-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_http_plug-3.2.3.6b8c95d-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_mail_plug-3.1.1.777fa90-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_quic_plug-3.0.4.947ef77-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_ssl_plug-3.0.6.a121701-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ssl_plug-3.1.0.10d88fa-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.12.0ad5a3b-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/app_control_plug-1.0.9.97846eb-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-2.0.0.eaa9479-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.1.33.68c9aaf-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/rtp-1.0.4.91b4ab7-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/mesa_sip-1.1.0.cfebc76-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_voip_plug-1.0.6.341fe83-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_proto_identify-2.0.1.dd683eb-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/gtp-1.0.4.8804e43-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/gtp_signaling_plug-1.0.1.6e51cc4-2.el7.x86_64.rpm
 
 - name: "Template the tsgconf/main.conf"
   template:

roles/firewall/templates/maat.conf.j2

@@ -32,5 +32,21 @@ INC_CFG_DIR=tsgrule/inc/index/
 FULL_CFG_DIR=tsgrule/full/index/
 EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
 
+[APP_SIGNATURE_MAAT]
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=tsgconf/app_sketch_tableinfo.conf
+STAT_FILE=app_sketch_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP={{ maat_redis_server.address }}
+REDIS_PORT_NUM={{ maat_redis_server.port_num }}
+REDIS_PORT={{ maat_redis_server.port }}
+REDIS_INDEX={{ maat_redis_server.db }}
+JSON_CFG_FILE=tsgconf/app_sketch_maat.json
+INC_CFG_DIR=tsgrule/inc/index/
+FULL_CFG_DIR=tsgrule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
+
 [MAAT]
 ACCEPT_TAGS={"tags":[{"tag":"data_center","value":"{{ data_center }}"}]}

roles/firewall/templates/main.conf.j2

@@ -1,3 +1,10 @@
+[VOIP_PLUG]
+TIMEOUT=300
+LOG_PATH="./tsglog/fw_voip_plug/fw_voip_plug"
+LOG_LEVEL={{ fw_voip_log_level }}
+TABLE_TO=TSG_FIELD_SIP_RESPONDER_DESCRIPTION
+TABLE_FROM=TSG_FIELD_SIP_ORIGINATOR_DESCRIPTION
+
 [FTP_PLUG]
 LOG_PATH="./tsglog/fw_ftp_plug/fw_ftp_plug"
 LOG_LEVEL={{ fw_ftp_log_level }}
@@ -54,6 +61,7 @@ OUTPUT_PATH="./tsg_stat.log"
 APP_NAME="tsg_master"
 
 [SYSTEM]
+NIC_NAME="{{ nic_mgr.name }}"
 ENTRANCE_ID={{ tsg_master_entrance_id }}
 LOG_LEVEL={{ tsg_master_log_level }}
 LOG_PATH="./tsglog/tsg_master"
@@ -62,3 +70,25 @@ DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'adc' '{print $2}'"
 
 [TSG_CONN_SKETCH]
 log_service=2
+
+
+[HOS_CONF]
+hos_serverip="{{ firewall.hos_serverip }}"
+hos_serverport={{ firewall.hos_serverport }}
+hos_accesskeyid="{{ firewall.hos_accesskeyid }}"
+hos_secretkey="{{ firewall.hos_secretkey }}"
+hos_poolsize={{ firewall.hos_poolsize }}
+hos_thread_sum={{ firewall.hos_thread_sum }}
+hos_cache_size={{ firewall.hos_cache_size }}
+hos_fs2_serverip="{{ firewall.hos_fs2_serverip }}"
+hos_fs2_serverport={{ firewall.hos_fs2_serverport }}
+
+[APP_SKETCH_LOCAL]
+LOG_LEVEL={{ firewall.APP_SKETCH_LOG_LEVEL }}
+LOG_PATH="{{ firewall.APP_SKETCH_LOG_PATH }}"
+
+[APP_SKETCH_FEEDBACK]
+QOS={{ firewall.APP_SKETCH_QOS }}
+PUBLISH_TOPIC="{{ firewall.APP_SKETCH_PUBLISH_TOPIC }}"
+#CLIENT_ID=
+BROKER_LIST="{{ firewall.APP_SKETCH_BROKER_LIST }}"

roles/framework/tasks/main.yml

@@ -12,19 +12,25 @@
     packages:
       - /tmp/ansible_deploy/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libmaatframe-3.1.22.3.1.22.3.1.22.6b91622-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librulescan-2.2.3.93a68a2-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm
       - /tmp/ansible_deploy/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-c-common-1.0.3.fa2adf0-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-c-event-stream-1.0.6.67fd944-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-checksums-1.0.6.8b09ac1-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-cpp-sdk-core-1.0.8.a3fe079-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-cpp-sdk-s3-2.0.0.f3c33ea-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libhos-client-cpp-1.0.24.20e6f94-2.el7.x86_64.rpm
 
 - name: "mkdir /etc/ld.so.conf.d/"
   file:

roles/kernel-ml/tasks/main.yml

@@ -25,19 +25,19 @@
     src: "{{ role_path }}/files/grub"
     dest: "/etc/default"
   when: 
-    - tsg_access_type == 4
+    - tsg_access_type == 4 or tsg_access_type == 5
     - t_kernel_ml.changed
 
 - name: "BIOS:grub2-mkconfig"
   shell: grub2-mkconfig -o /boot/grub2/grub.cfg
   when:
-    - tsg_access_type == 4
+    - tsg_access_type == 4 or tsg_access_type == 5
     - t_kernel_ml.changed
 
 - name: "UEFI:grub2-mkconfig"
   shell: grub2-mkconfig  -o /boot/efi/EFI/centos/grub.cfg
   when:
-    - tsg_access_type == 4
+    - tsg_access_type == 4 or tsg_access_type == 5
     - t_kernel_ml.changed
 
 - name: "reboot"

roles/kni/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: "install kni rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/kni-20.12.01.13e663f-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/kni-21.05.01.e7573e5-2.el7.x86_64.rpm
     state: present
 #    skip_broken: yes
 

roles/kni/templates/kni.conf.j2

@@ -3,7 +3,7 @@ log_path = ./log/kni/kni.log
 log_level = {{ kni_log_level }}
 tfe_node_count = {{ kni.global.tfe_node_count }}
 manage_eth = {{ nic_mgr.name }}
-{% if tsg_running_type != 2 %}
+{% if tsg_running_type == 0 %}
 deploy_mode = tun
 {% else %}
 deploy_mode = normal
@@ -11,7 +11,7 @@ deploy_mode = normal
 tun_name = tun_kni
 src_mac_addr = 00:0e:c6:d6:72:c1
 dst_mac_addr = fe:65:b7:03:50:bd
-{% if tsg_access_type == 4 %}
+{% if tsg_access_type == 4 or tsg_access_type == 5 %}
 [tfe0]
 enabled = 1
 dev_eth_symbol = {{ ATCA_data_incoming.vf1_name }}
@@ -49,7 +49,7 @@ keepalive_cnt = 3
 appsym = knifw
 
 [dup_traffic]
-switch = 1
+switch = 0
 action = 2
 capacity = 10000000
 error_rate = 0.00001

roles/mrzcpd/tasks/main.yml

@@ -26,7 +26,7 @@
     src: "{{ role_path }}/templates/mrapp.sapp4.conf "
     dest: /opt/mrzcpd/etc/mrapp.sapp4.conf 
   when: 
-    - tsg_access_type == 4
+    - tsg_access_type == 4 or tsg_access_type == 5
 
 - name: "update mrglobal.conf.adc_inline"
   template:

roles/packet_dump/tasks/main.yml

@@ -25,7 +25,24 @@
   file:
     path: /var/www/html/troubleshooting
     state: directory
- 
+
+- name: "mkdir /opt/packet-dump-exporter/"
+  file:
+    path: /opt/packet-dump-exporter/
+    state: directory
+
+- name: "copy systemd_exporter"
+  copy:
+    src: '{{ role_path }}/files/systemd_exporter'
+    dest: /opt/packet-dump-exporter/systemd_exporter
+    mode: 0755
+
+- name: "templates packet-dump-exporter-systemd.service"
+  template:
+    src: "{{role_path}}/templates/packet-dump-exporter-systemd.service.j2"
+    dest: /usr/lib/systemd/system/packet-dump-exporter-systemd.service
+  tags: template
+
 - name: "start packet_dump"
   systemd:
     name: packet_dump.service
@@ -37,3 +54,10 @@
     name: httpd
     enabled: yes
     daemon_reload: yes
+
+- name: 'packet-dump-exporter-systemd service start'
+  systemd:
+    name: packet-dump-exporter-systemd
+    enabled: yes
+    daemon_reload: yes
+    state: restarted

roles/packet_dump/templates/packet-dump-exporter-systemd.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Systemd Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/packet-dump-exporter/systemd_exporter --web.disable-exporter-metrics
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/sapp/tasks/main.yml

@@ -13,13 +13,13 @@
 - name: "install sapp rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/sapp-4.2.25.893d15d-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/sapp-4.2.35.b0d7518-2.el7.x86_64.rpm
     state: present
  
 - name: "install tcpdump_mesa rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tcpdump_mesa-1.0.4.4ef2936-2.el7.x86_64.rpm
     state: present
     skip_broken: yes
 

roles/sapp/templates/asymmetric_addr_layer.conf.j2

@@ -0,0 +1,7 @@
+#layer name definition:  ipv4, ipv6, ethernet,vlan, arp, gre, mpls, pppoe, tcp, udp, l2tp, ppp, pptp, gtp
+#pattern: asymmetric_layer_name[layer index]
+vlan[*]
+mpls[*]
+gre[*]
+gtp[*]
+

roles/sapp/templates/asymmetric_presence_layer.conf.j2

@@ -0,0 +1,8 @@
+#layer name definition:  ipv4, ipv6, ethernet,vlan, arp, gre, mpls, pppoe, tcp, udp, l2tp, ppp, pptp, gtp
+#pattern: asymmetric_layer_name    under_of_this_asymmetric_layer[layer_index]   upper_of_this_asymmetric_layer[layer_index]
+{% if tsg_access_type == 2 and tsg_running_type == 2 %}
+mpls    ethernet[0]    ipv4[1]
+mpls    ethernet[0]    ipv6[1]
+{% else %}
+#
+{% endif %}

roles/sapp/templates/conflist.inf.j2

@@ -1,18 +1,13 @@
 [platform]
-{% if tsg_access_type == 1 %}
-./plug/platform/g_device_plug/g_device_plug.inf
-#./plug/platform/http_healthcheck/http_healthcheck.inf
-{% else %}
-#./plug/platform/g_device_plug/g_device_plug.inf
-#./plug/platform/http_healthcheck/http_healthcheck.inf
+{% if tsg_access_type == 2 %}
+./plug/platform/http_healthcheck/http_healthcheck.inf
 {% endif %}
 ./plug/platform/app_proto_identify/app_proto_identify.inf
 ./plug/platform/tsg_master/tsg_master.inf
-{% if tsg_app_enable == 1 %}
-./plug/platform/app_master/app_master.inf
-{% endif %}
 
 [protocol]
+./plug/protocol/mesa_sip/mesa_sip.inf
+./plug/protocol/rtp/rtp.inf
 ./plug/protocol/ssl/ssl.inf
 ./plug/protocol/http/http.inf
 ./plug/protocol/dns/dns.inf
@@ -20,6 +15,7 @@
 ./plug/protocol/ftp/ftp.inf
 ./plug/protocol/quic/quic.inf
 ./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
+./plug/protocol/gtp/gtp.inf
 
 [business]
 ./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
@@ -31,12 +27,9 @@
 ./plug/business/fw_mail_plug/fw_mail_plug.inf
 ./plug/business/fw_ftp_plug/fw_ftp_plug.inf
 ./plug/business/fw_quic_plug/fw_quic_plug.inf
+./plug/business/fw_voip_plug/fw_voip_plug.inf
 ./plug/business/conn_telemetry/conn_telemetry.inf
-./plug/business/app_control_plug/app_control_plug.inf
-{% if tsg_app_enable == 1 %}
+{% if tsg_app.enable == 1 %}
 ./plug/business/app_sketch_local/app_sketch_local.inf
-./plug/business/app_control_plug/app_control_plug.inf
-{% endif %}
-{% if tsg_access_type == 2 %}
-./plug/platform/http_healthcheck/http_healthcheck.inf
 {% endif %}
+./plug/business/gtp_signaling_plug/gtp_signaling_plug.inf

roles/sapp/templates/sapp.service.j2

@@ -17,6 +17,7 @@ LimitCORE=0
 TasksMax=infinity
 Delegate=yes
 KillMode=process
+WatchdogSec=10s
 
 [Install]
 WantedBy=multi-user.target

roles/sapp/templates/sapp.toml.j2

@@ -33,7 +33,11 @@ dictator_enable=0
     l2_l3_tunnel_support=1
 
 ### note, optional value is [none, vxlan]
+    {% if tsg_access_type == 5 or tsg_access_type == 1 %}
+    overlay_mode=vxlan
+    {% else %}
     overlay_mode=none
+    {% endif %}
     stream_compare_layer_cfg_file="etc/stream_compare_layer.conf"
     vlan_flipping_cfg_file="etc/vlan_flipping_map.conf"
     asymmetric_presence_layer_cfg_file="etc/asymmetric_presence_layer.conf"
@@ -42,7 +46,7 @@ dictator_enable=0
 
     [packet_io.feature]
 	
-	{% if tsg_access_type == 4 %}
+	{% if tsg_access_type == 4 or tsg_access_type == 5 %}
 	### note, used to represent inbound or outbound direction value,
 	### because it comes from Third party device, so it needs to be specified manually,
 	### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
@@ -89,8 +93,12 @@ dictator_enable=0
     name={{packet_io.internal_interface}}
     {% else %}
     type=marsio
+    {% if tsg_access_type == 4 or tsg_access_type == 5 %}
+    name={{ATCA_data_incoming.vf0_name}}
+    {% else %}
     name={{nic_data_incoming.name}}
     {% endif %}
+    {% endif %}
 
     [packet_io.external.interface]
     {% if tsg_access_type == 0 %}
@@ -114,6 +122,11 @@ dictator_enable=0
     treat_vlan_as_mac_in_mac=0
     reverse_ethernet_addr=1
 
+[DUPLICATE_PKT]
+    duplicate_pkt_distinguish=1
+    bloom_capacity=1000000
+    bloom_error_rate=0.00001
+    bloom_timeout=10
 	
 [STREAM]
 ### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" 
@@ -179,9 +192,9 @@ dictator_enable=0
         app_name=sapp
      
         [profiling.log.prometheus]
-        prometheus_enabled={{ sapp_prometheus_enable }}
-        prometheus_port={{ sapp_prometheus_port }}
-        prometheus_url_path="{{ sapp_prometheus_url_path }}"
+        prometheus_enabled={{ sapp.prometheus_enable }}
+        prometheus_port={{ sapp.prometheus_port }}
+        prometheus_url_path="{{ sapp.prometheus_url_path }}"
 
 [TOOLS]
     [tools.pkt_dump]

roles/sapp/templates/vlan_flipping_map.conf.j2

@@ -6,6 +6,11 @@
 #配置文件格式, pattern:
 #来自C路由器vlan_id	  	来自I路由器vlan_id   	是否开启mac地址翻转
 #C_router_vlan_id  I_router_vlan_id mac_flipping_enable
+{% if tsg_access_type == 2 and tsg_running_type == 2 %}
 1301	1302	1
 1201	1202	1
 4000	4001	0
+{% else %}
+4000	4001	0
+{% endif %}
+

roles/tfe/tasks/main.yml

@@ -13,8 +13,7 @@
 - name: "install tfe rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm
-      - /tmp/ansible_deploy/tfe-4.3.28.ce28c42-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tfe-4.5.01.91facad-1.el7.x86_64.rpm
     state: present
 
 - name: "tfe:copy cert file to device"
@@ -74,6 +73,13 @@
     dest: /etc/systemd/system/tfe.service.d/
     mode: 0644
 
+- name: "enable tfe-env-tun-mode"
+  systemd:
+    name: tfe-env-tun-mode
+    enabled: yes
+    daemon_reload: yes
+  when: tsg_running_type == 0
+
 - name: "enable tfe-env"
   systemd:
     name: tfe-env

roles/tfe/templates/pangu_pxy.conf.j2

@@ -6,40 +6,26 @@ enable_plugin=1
 en_sendlog=1
 entrance_id=0
 
-#Addresses of minio. Format is defined by WiredLB.
-#minio_ip_list=192.168.10.61-64;
-minio_ip_list= {{ log_minio.address }}
-minio_listen_port= {{ log_minio.port }}
-#Maximum number of connections opened by per host.
-#MAX_CONNECTION_PER_HOST=1
-#Maximum number of requests in a pipeline.
-#MAX_CNNT_PIPELINE_NUM=20
-#Maximum parellel sessions(http and redis) is allowed to open.
-#MAX_CURL_SESSION_NUM=100
-#Maximum time the request is allowed to take(seconds).
-#MAX_CURL_TRANSFER_TIMEOUT_S=0
+#Addresses of hos, Bucket name in hos. Format is defined by WiredLB.
+cache_ip_list = {{ pangu_pxy.log_cache.address }}
+cache_listen_port = {{ pangu_pxy.log_cache.port }}
+cache_bucket_name=hos/proxy_hos_bucket
+cache_token=c21f969b5f03d33d43e04f8f136e7682
 
-#Bucket name in minio.
-cache_bucket_name=proxybucket
-#Maximum size of memory used by tango_cache_client. Upload will fail if the current size of memory used exceeds this value.
+#Refer to the pangu_cahche definition
 max_used_memroy_size_mb=5120
-#Default TTL of objects, i.e. the time after which the object will expire(minumun 60s, i.e. 1 minute).
 cache_default_ttl_second=3600
-#Whether to hash the object key before cache actions. GET/PUT may be faster if you open it.
 cache_object_key_hash_switch=1
 
-#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
 cache_store_object_way=0
-#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
 redis_cache_object_size=1024000
-#Configs of WiredLB for Minios load balancer.
-#WIREDLB_OVERRIDE=1
-#wiredlb_health_port=42310
+
 #If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
 redis_cluster_ip_list=192.168.10.62-63;
 redis_cluster_port_range=6379
 #wired load balancer configuration
 
+#Configs of WiredLB for Minios load balancer.
 wiredlb_override=1
 wiredlb_topic=MinioFileLog
 wiredlb_datacenter=k18consul-tse
@@ -54,6 +40,7 @@ log_fsstat_dst_ip=10.4.20.202
 log_fsstat_dst_port=8125
 
 [ratelimit]
+#hijack flow control
 enable=0
 token_name=ratelimit
 redis_server={{ maat_redis_server.address }}
@@ -62,32 +49,27 @@ redis_db_index=6
 
 [tango_cache]
 enable_cache=0
-minio_ip_list=192.168.10.61-64;
-minio_listen_port=9000
+cache_ip_list=192.168.10.61-64;
+cache_listen_port=9000
+cache_bucket_name=hos/proxy_hos_bucket
+cache_token=c21f969b5f03d33d43e04f8f136e7682
 
-#max_connection_per_host=1
 max_cnnt_pipeline_num=20
-#max_curl_session_num=100
-
-cache_bucket_name=proxybucket
+#Maximum size of memory used by tango_cache_client. Upload will fail if the current size of memory used exceeds this value.
 max_used_memory_size_mb=10240
+#Default TTL of objects, i.e. the time after which the object will expire(minumun 60s, i.e. 1 minute).
 cache_default_ttl_second=3600
+#Whether to hash the object key before cache actions. GET/PUT may be faster if you open it.
 cache_object_key_hash_switch=1
-
-#1-minio，2-redis
-#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
-cache_store_object_way=0
+#Store way: 0-HOS; 1-META in REDIS, object in hos; 2-META and small object in Redis, large object in hos;
+cache_store_object_way=2
 #If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
 redis_cache_object_size=102400
 #If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
 redis_cluster_ip_list=192.168.10.62-63;
 redis_cluster_port_range=6379
-#wired load balancer configuration
-wiredlb_override=1
-wiredlb_topic=MinioCache
-wiredlb_datacenter=k18consul-tse
-wiredlb_health_port=52101
-wiredlb_group=TangoCache
+
+#Configs of WiredLB for Minios load balancer.Refer to the definition at log
 
 cache_undefined_obj=1
 query_undefined_obj=0

roles/tfe/templates/tfe-env-config.j2

@@ -1,4 +1,4 @@
-{% if tsg_access_type == 4 %}
+{% if tsg_access_type == 4 or tsg_access_type == 5 %}
 TFE_DEVICE_DATA_INCOMING={{ ATCA_data_incoming.vf2_name }}
 {% elif tsg_running_type != 2 %}
 TFE_DEVICE_DATA_INCOMING=tun_kni
@@ -6,7 +6,7 @@ TFE_DEVICE_DATA_INCOMING=tun_kni
 TFE_DEVICE_DATA_INCOMING={{ nic_data_incoming.name }}
 {% endif %}
 TFE_LOCAL_MAC_DATA_INCOMING=fe:65:b7:03:50:bd
-{% if tsg_access_type == 4 %}
+{% if tsg_access_type == 4 or tsg_access_type == 5 %}
 TFE_PEER_MAC_DATA_INCOMING=00:0e:c6:d6:72:c1
 {% else %}
 TFE_PEER_MAC_DATA_INCOMING=aa:bb:cc:dd:ee:ff

roles/tfe/templates/tfe.conf.j2

@@ -1,7 +1,8 @@
 [system]
 nr_worker_threads={{ tfe.nr_threads }}
 enable_kni_v1=0
-enable_kni_v2=1
+enable_kni_v2=0
+enable_kni_v3=1
 
 # Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
 disable_coredump=0
@@ -19,6 +20,12 @@ cpu_affinity_mask=1-9
 # LEAST_CONN = 0; ROUND_ROBIN = 1
 load_balance=1
 
+[nfq]
+queue_id=1
+queue_maxlen=655350
+queue_rcvbufsiz=983025000
+queue_no_enobufs=1
+
 [kni]
 # kni v1
 #uxdomain=/var/run/.tfe_kni_acceptor_handler

roles/tfe/templates/tfe_kmod.conf.j2

@@ -1,2 +0,0 @@
-# load tfe_kmod at boot
-tfe_kmod

roles/tsg-diagnose/tasks/main.yml

@@ -0,0 +1,38 @@
+- name: "Tsg-diagnose:copy file to device"
+  copy:
+    src: '{{ role_path }}/files/'
+    dest: /tmp/ansible_deploy/
+    
+- name: "Install tsg-diagnose rpm package"
+  yum:
+    name:
+      - "/tmp/ansible_deploy/tsg-diagnose-21.03.01.39beba7-1.el7.x86_64.rpm"
+    state: present
+
+- name: "Templates tsg-diagnose.config"
+  template:
+    src: "{{role_path}}/templates/tsg-diagnose.config.j2"
+    dest: /opt/tsg/tsg-diagnose/etc/tsg-diagnose.config
+  tags: template
+
+- name: "tsg-diagnose:mkdir -p .badssl_cert_dict"
+  file:
+    path: /opt/tsg/tsg-diagnose/.badssl_cert_dict
+    state: directory
+
+
+- name: "tsg-diagnose: unarchive certs"
+  unarchive:
+    src: /tmp/ansible_deploy/tsg-diagnose-certs.tgz
+    dest: /opt/tsg/tsg-diagnose/.badssl_cert_dict
+    remote_src: yes
+
+- name: 'Tsg-diagnose service start'
+  systemd:
+    name: tsg-diagnose
+    enabled: yes
+    daemon_reload: yes
+    state: started
+
+- name: "tsg-diagnose init rsync deamon"
+  shell: /bin/sh /opt/tsg/tsg-diagnose/deploy/rsync/init_rsyncd.sh

roles/tsg-diagnose/templates/tsg-diagnose.config.j2

@@ -0,0 +1,135 @@
+[test_securityPolicy_bypass]
+# enabled = 1 run this case
+enabled = 1
+#Connection TIMEOUT, in seconds
+conn_timeout = 1
+#max_recv_speed_large  byte/s
+max_recv_speed_large = 6553600
+
+[test_securityPolicy_intercept]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_securityPolicy_intercept_certerrExpired]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_securityPolicy_intercept_certerrSelf_signed]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_securityPolicy_intercept_certerrUntrusted_root]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_ssl_redirect]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_ssl_block]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_ssl_replace]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_ssl_hijack]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_ssl_insert]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_http_redirect]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_http_block]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_http_replace]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_http_hijack]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_proxyPolicy_http_insert]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_1k]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_4k]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_16k]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_64k]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_256k]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_1M]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_4M]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_16M]
+enabled = 1
+conn_timeout = 4
+max_recv_speed_large = 6553600
+
+[test_https_con_traffic_64M]
+enabled = 1
+conn_timeout = 12
+max_recv_speed_large = 6553600
+
+[start_time_random_delay_range]
+enabled = 1
+#Left_edge is the left edge of the randomly generated time in seconds
+left_edge = 0
+#Left_edge is the right edge of the randomly generated time in seconds
+right_edge = 30
+
+[telegraf]
+host = 192.51.100.1
+port = 58100
+tags_key = app_name
+tags_value = tsg-diagnose

roles/tsg-diagnose_stop_sync/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: "tsg-diagnose:  stop rsync deamon process"
+  shell: killall -9 rsync
+

roles/tsg-diagnose_sync_ca/files/tsg_diagnose_ca.pem

@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIIGWzCCBEOgAwIBAgIJAMimxpHS+4hRMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+c2NvMQ8wDQYDVQQKDAZCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eTAeFw0yMDEwMjYwODQ3NDZaFw00MDEwMjEwODQ3NDZa
+MHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
+YW4gRnJhbmNpc2NvMQ8wDQYDVQQKDAZCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBS
+b290IENlcnRpZmljYXRlIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
+ADCCAgoCggIBAKnefEvaekYAdlfFtpnaPaKYgl+X3FOXUEiYLHuX9YZjuhjVAf/I
+19iW7+k6mln3jSxD05YZQk/jUVTTVjYgQftHzlZiJG086AGhG86QwDIPb9nQIGy8
+3DscFFQGGOoYPdV9E+s1cFDTIFGqqqlJ5T5jpjnAL/3WR2LxrgzPVkBjcOTJnkU6
+Gv2jqwQYGSz8+A6FYsGLqO6Pv7uKY1OPELNcTGnSwD1uctsMHn/Xqx4nMaBoMuSc
+TZQEneSagGDgF1dVqEFhVEPo4VXiVthhS82xA3xK69UKfKLFkjjy+icH8LllKUFo
+Psu+w/9V3OZ4xfzjEdpoRwRUmOesS5wlEkd3rLKEWXG/A8Uul5iCZ2Dez9nE6wi7
+w7JD7R1InPoD+7KXtT2JWS+9sj+Vre7XIjSEQuBRGiTOXnDcuYjFOkvCqS7OToUc
+fOJAlKHCndqBnzLoLJHU2ozrqgz8SU0Iv1CPW6YXLtRFFX3K9WUvX7XNTonh+oWS
+6IGifWnVcYh2N5peUuNVT4heD4QfIDpCvjwUAp2IWr1GnEjvjhPaHialRotHhfCi
+t3T0F58IhFQ6+CLQwE57Yd+7zGbc7osqTe1hbiK2wcciTuajmGZyfev8atFey+Y5
+N/7jD3U0a6u4Z+DyGcc08Pj94cM5AJ7SA45LKwt6xhmGLzhemmdGLJLNAgMBAAGj
+gekwgeYwHQYDVR0OBBYEFMGs0F0ycvMIQgM6oTyOBrxzjCPKMIGpBgNVHSMEgaEw
+gZ6AFMGs0F0ycvMIQgM6oTyOBrxzjCPKoXukeTB3MQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UE
+CgwGQmFkU1NMMSowKAYDVQQDDCFCYWRTU0wgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRo
+b3JpdHmCCQDIpsaR0vuIUTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAgEAeZzR9GKvTRiKfRqCzjhylk+7IbymWjxNTc2LQ3+O6lww
+kw6Z2ybzvR3i/IZ7Hw+DBo1MXku9qHW/1uKR2BssoLHU1p1iHCBrZ1nw9MXxqXa3
+PhgxUZZu39NdXFc12fY/SYP8XQkNVzQCNouOvb75hj087ZDHvGztHIaB3VNUs1p+
+qMvGm8RVUGfDDqynUBZ814N32eCu+13N+dGL7yxASzD6Y3/myhVjixUuoUG3zFTW
+NnIWspbC8MxhP/3QUMYi4KJM4KDiJQxPhGkMBwlhgAz/QPEJApKq0Cl0Reez7Gyd
+KdnrqvCKhf8K53Su8L1GeRvzzKb7Hi+kMWIZVJPGz2DHgOymP5RCsIuWG6cDgx5E
+3LfZYEPG63ezj+qMZmkdEMnD9SVBi85dOTOJ+OJgxxX2OahUKPUdDP89ZmHdOjR9
+CqUxnA+eqRNz1TajnjRFXir3/20SoBtrHBck3bxpmZwsF7A6Sg5RdlvQjK2Oy6g0
+9LrkPUgu9O/sBfz8uyG/HlQD7EuUNo0NQHqznnde3T+w5wY2vL3XUAl39qcpNPF6
+auCS8+aygYYmCUooZVzKlXGU3VUPGwcfmLE4gnPLT0+pnHtBS8tKLOzXAJjYQ3s+
+QpP3aO4lJvoZ6Oes/JRxNPW8dmaLxTKPqsaPEWWuoSYr0higPTBXQNg+++PYRY4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB8jCCAVugAwIBAgIJAP3GpXchIMWHMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
+BAsMBkdFRURHRTAgFw0yMDAzMDkxNjEyNTlaGA8yMDUwMDMwMjE2MTI1OVowETEP
+MA0GA1UECwwGR0VFREdFMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCraZpH
+Fca2Iu+9E9HzKbEi2Akdk4RrUJxkQjB2Tr7fGxwPDXqdGvSoXDdgnSA0I0bbNqMs
+drgiCWimjnGiWfY0sssKg7plNTQ4i7Zz7P9Isyf6TuxvB09CzdhH2FQ3lLRTb8pv
+BA0E28CCYiZhtX1/3RlDSvxaRKOM3yEt0q+FRQIDAQABo1AwTjAdBgNVHQ4EFgQU
+NqrpSlpCuMBJlCLZEE/D5ZpBy8swHwYDVR0jBBgwFoAUNqrpSlpCuMBJlCLZEE/D
+5ZpBy8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBsybFxUAjzhJ5H
+VbSLhyillxtAJ3vEKtLrMVnAgRUEwamyu1JQGndF9kh8RapSmHhmuZM9iTc+NsNb
+DKGKmEOY0vQMw83xE7EGYj4Nhww9UMyGglmTLbd3yB+uJA97beNVduU2mifDHGmN
+4buMiPl3AozGRl9p5UCzZM5XxMMw1A==
+-----END CERTIFICATE-----

roles/tsg-diagnose_sync_ca/tasks/main.yml

@@ -0,0 +1,15 @@
+- name: "tsg-diagnose: rsync badssl ca certs"
+  shell: rsync -avzP --delete 192.168.100.1::blade0toother /tmp/sync/
+  ignore_errors: true
+
+- name: "tsg-diagnose: add badssl ca file to tfe tls-ca-bundle"
+  shell: cat /tmp/sync/ca-root.crt > /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem && cat /tmp/sync/wpr_cert.pem >> /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem
+  ignore_errors: true
+  register: result_tsg_diagnose_sync_cert_shell
+
+- name: "Tsg-diagnose:copy cert file to device"
+  copy:
+    src: '{{ role_path }}/files/tsg_diagnose_ca.pem'
+    dest: /opt/tsg/tfe/resource/tfe/
+  when: result_tsg_diagnose_sync_cert_shell.rc==1
+

roles/tsg-env-tun-mode/templates/setup.j2

@@ -10,7 +10,7 @@ ethtool -K {{ packet_io.internal_interface }} gro off
 ethtool -K {{ packet_io.external_interface }} tso off
 ethtool -K {{ packet_io.external_interface }} gso off
 ethtool -K {{ packet_io.external_interface }} gro off
-{% elif tsg_access_type == 4 %}
+{% elif tsg_access_type == 4 or tsg_access_type == 5 %}
 echo 3 > /sys/class/net/{{ ATCA_data_incoming.ethname }}/device/sriov_numvfs
 ip link set {{ ATCA_data_incoming.ethname }} vf 1 vlan 4095
 ip link set {{ ATCA_data_incoming.ethname }} vf 2 vlan 4095

roles/tsg-env-tun-mode/templates/tsg-env_stop.j2

@@ -3,6 +3,6 @@
 echo 0 >/sys/class/net/{{ nic_mgr.name }}/device/sriov_numvfs
 ifconfig {{ nic_mgr.name }}.100 down
 vconfig rem {{ nic_mgr.name }}.100
-{% if tsg_access_type == 4 %}
+{% if tsg_access_type == 4 or tsg_access_type == 5 %}
 echo 0 >/sys/class/net/{{ ATCA_data_incoming.ethname }}/device/sriov_numvfs
 {% endif %}

roles/tsg_app/tasks/main.yml

@@ -11,28 +11,6 @@
     skip_broken: yes
   vars:
     app_packages:
-      - /tmp/ansible_deploy/app_master-1.0.5.5a4fb22-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/app_control_plug-1.0.3.447fc53-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/app_proto_identify-1.0.5.5c5342a-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/app_sketch_local-1.0.4.0edaf58-2.el7.x86_64.rpm
-  when: tsg_app_enable == 1
+      - /tmp/ansible_deploy/app_sketch_local-3.0.5.92c645f-2.el7.x86_64.rpm
+  when: tsg_app.enable == 1
 
-- name: "mkdir appconf"
-  file:
-    path: /home/mesasoft/sapp_run/appconf
-    state: directory
-  when: tsg_app_enable == 1
-
-- name: "Template the appconf/main.conf"
-  template:
-    src: "{{ role_path }}/templates/main.conf.j2"
-    dest: /home/mesasoft/sapp_run/appconf/main.conf
-  tags: template
-  when: tsg_app_enable == 1
-
-- name: "Template the appconf/maat.conf"
-  template:
-    src: "{{ role_path }}/templates/maat.conf.j2"
-    dest: /home/mesasoft/sapp_run/appconf/maat.conf
-  tags: template
-  when: tsg_app_enable == 1

roles/tsg_app/templates/maat.conf.j2

@@ -1,34 +0,0 @@
-[APP_SIGNATURE_MAAT]
-MAAT_MODE=2
-STAT_SWITCH=1
-PERF_SWITCH=1
-TABLE_INFO=appconf/app_id_tableinfo.conf
-STAT_FILE=app_id_maat.status
-EFFECT_INTERVAL_S=1
-REDIS_IP={{ maat_redis_server.address }}
-REDIS_PORT_NUM=1
-REDIS_PORT={{ maat_redis_server.port }}
-REDIS_INDEX={{ maat_redis_server.db }}
-JSON_CFG_FILE=appconf/app_id_maat.json
-INC_CFG_DIR=apprule/inc/index/
-FULL_CFG_DIR=apprule/full/index/
-EFFECTIVE_RANGE_FILE=/opt/app/etc/app_device_tag.json
-
-[APP_ACTION_MAAT]
-MAAT_MODE=2
-STAT_SWITCH=1
-PERF_SWITCH=1
-TABLE_INFO=appconf/app_action_tableinfo.conf
-STAT_FILE=app_action_maat.status
-EFFECT_INTERVAL_S=1
-REDIS_IP={{ maat_redis_server.address }}
-REDIS_PORT_NUM=1
-REDIS_PORT={{ maat_redis_server.port }}
-REDIS_INDEX={{ maat_redis_server.db }}
-JSON_CFG_FILE=appconf/app_action_maat.json
-INC_CFG_DIR=apprule/inc/index/
-FULL_CFG_DIR=apprule/full/index/
-EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
-
-[MAAT]
-ACCEPT_TAGS={"tags":[{"tag":"device_id","value":"device_1"}]}

roles/tsg_app/templates/main.conf.j2

@@ -1,39 +0,0 @@
-[FEEDBACK]
-QOS=1
-PUBLISH_TOPIC=APP_SIGNATURE_ID
-#CLIENT_ID=
-BROKER_LIST=tcp://{{ app_global_ip }}:1883
-
-[LUA]
-ENABLE=1
-
-[MAAT]
-PROFILE=./appconf/maat.conf
-
-[APP_LOG]
-MODE=1
-LOG_LEVEL={{ applog_level }}
-LOG_PATH=./applog/applog
-BROKER_LIST={{ log_kafkabrokers.address | join(",") }}
-COMMON_FIELD_FILE=appconf/app_log_field.conf
-
-[FIELD_STAT]
-CYCLE=5
-TELEGRAF_PORT=8100
-TELEGRAF_IP=127.0.0.1
-OUTPUT_PATH=./app_stat.log
-APP_NAME=app_master
-
-[SYSTEM]
-LOG_LEVEL={{ app_master_log_level }}
-LOG_PATH=./applog/app_master
-NIC_NAME={{ nic_mgr.name }}
-
-[APP_SKETCH_LOCAL]
-LOG_LEVEL={{ app_sketch_local_log_level }}
-LOG_PATH=./applog/app_sketch_local/app_sketch_local
-
-[CONTROL_PLUG]
-LOG_LEVEL={{ app_control_plug_log_level }}
-LOG_PATH=./applog/app_control_plug/app_control_plug
-