update

deploy.yml

@@ -55,3 +55,4 @@
     - cert-redis
     - tfe
     - telegraf_statistic
+    - proxy_status

install_config/group_vars/all.yml

@@ -1,9 +1,9 @@
 #########################################
 #####0: Pcap; 1: Inline_device;  2: Allot;  3: ADC_Tun_mode;  4: ATCA;
-tsg_access_type: 0
+tsg_access_type: 4
 
-#####0: Tun_mode;  1: ADC;
+#####0: Tun_mode;  1: normal; 2: ADC;
-tsg_running_type: 0 
+tsg_running_type: 1 
 
 ########################################
 maat_redis_server:
@@ -21,7 +21,7 @@ cert_store_server:
   port: 9991
 
 log_kafkabrokers:
-  address: "192.168.40.169:9092"
+  address: "1.1.1.1:9092,2.2.2.2:9092"
 
 log_minio:
   address: "192.168.40.168;"
@@ -35,7 +35,9 @@ fs_remote:
 ########################################
 sapp:
   worker_threads: 16
+  send_only_threads_max: 8
   bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
+  inbound_route_dir: 1
 
 ########################################
 kni:
@@ -49,19 +51,15 @@ kni:
   send_logger:
     switch: 1
   tfe_nodes:
-    - tfe0:
+    tfe0_enabled: 1
-        enabled: 1
+    tfe1_enabled: 1
-    - tfe1:
+    tfe2_enabled: 1
-        enabled: 1
-    - tfe2:
-        enabled: 1
 
 ########################################
 tfe:
   nr_threads: 32
   mc_cache_eth: lo 
   keykeeper:
-    mode: "normal"
     no_cache: 0
 
 ########################################
@@ -72,7 +70,7 @@ mrtunnat:
   lcore_id: 38
 
 nic_data_incoming:
-  name: enp1s0
+  ethname: enp1s0
   vf0_name: enp1s2
   vf1_name: enp1s2f1
   vf2_name: enp1s2f2
@@ -80,8 +78,10 @@ nic_data_incoming:
 VlanFlipping:
   vlanID_1: 100
   vlanID_2: 101
+  vlanID_3: 103
+  vlanID_4: 104
 ########################################
-tsg_tun_mode:
+server:
   ethname: eth0
   tun_name: eth0.100
   internal_interface: "eth2"

install_config/hosts

@@ -5,19 +5,19 @@ package_source=local
 [pc-as-tun-mode]
 
 [blade-mxn]
-192.168.40.170
+1.1.1.1 device_id=1
 
 [blade-00]
-192.168.40.166 vvipv4_1= vvipv4_2= vvipv6_1= vvipv6_2=
+1.1.1.1 device_id=1 vvipv4_1= vvipv4_2= vvipv6_1= vvipv6_2=
 
 [blade-01]
-192.168.40.167
+1.1.1.1 device_id=1
 
 [blade-02]
-192.168.40.168
+1.1.1.1 device_id=1
 
 [blade-03]
-192.168.40.169
+1.1.1.1 device_id=1
 
 [Functional_Host:children]
 blade-00

roles/certstore/tasks/main.yml

@@ -10,7 +10,7 @@
 - name: install certstore
   yum:
     name:
-      - /tmp/ansible_deploy/certstore-v20.05.0f61dde-1.el7.centos.x86_64.rpm
+      - /tmp/ansible_deploy/certstore-2.1.2.20200728.7515a19-1.el7.x86_64.rpm
     state: present
 
 - name: template certstore configure file

roles/clotho/templates/clotho.conf.j2

@@ -2,8 +2,8 @@
 BROKER_LIST={{ log_kafkabrokers.address }}
 
 [SYSTEM]
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1 %}
-NIC_NAME={{ tsg_tun_mode.ethname }}
+NIC_NAME={{ server.ethname }}
 {% else %}
 NIC_NAME={{ nic_mgr.name }}
 {% endif %}

roles/firewall/tasks/main.yml

@@ -8,23 +8,25 @@
   yum:
     name: "{{ fw_packages }}"
     state: present
+    skip_broken: yes
   vars:
     fw_packages:
-      - /tmp/ansible_deploy/dns-2.0.2.5effe72-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/capture_packet_plug-3.0.2.09f193c-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ftp-1.0.4.5d3a283-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/http-2.0.1.e8f12ee-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/mail-1.0.3.cbc6034-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ssl-1.0.0.73e5273-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64.rpm
-      - /tmp/ansible_deploy/fw_dns_plug-debug-1.0.3.ea8e0f6-1.el7.centos.x86_64.rpm
-      - /tmp/ansible_deploy/fw_ftp_plug-1.1.0.74c9a05-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_ssl_plug-1.0.3.30fcf35-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_mail_plug-1.1.0.a42c5a0-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_http_plug-1.1.1.d5a0b10-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/capture_packet_plug-debug-1.0.0.-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/clotho-debug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/quic-1.1.4.9c2e0ba-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/dns-2.0.6.d8317e9-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_quic_plug-1.0.1.e8cded4-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ftp-1.0.6.2710506-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_dns_plug-3.0.0.0a5d574-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ftp_plug-3.0.0.7a867ea-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_http_plug-3.0.0.1ca1c65-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_mail_plug-3.0.0.3b4e481-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_quic_plug-3.0.0.b06d39c-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ssl_plug-3.0.1.7ea9976-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/http-2.0.3.9218b4b-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/mail-1.0.7.9e3be05-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.6.d6755d8-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-1.0.3.e8482a4-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.v2.0_alpha.af621ca-2.el7.x86_64.rpm
 
 - name: "Template the tsgconf/main.conf"
   template:

roles/firewall/templates/capture_packet_plug.conf.j2

@@ -15,8 +15,8 @@ INC_CFG_DIR=capture_packet_rule/inc/index/
 FULL_CFG_DIR=capture_packet_rule/full/index/
 
 [LOG]
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1 %}
-NIC_NAME={{ tsg_tun_mode.ethname }}
+NIC_NAME={{ server.ethname }}
 {% else %}
 NIC_NAME={{ nic_mgr.name }}
 {% endif %}

roles/firewall/templates/maat.conf.j2

@@ -1,4 +1,5 @@
 [STATIC]
+###0:location 1:json 2:redis
 MAAT_MODE=2
 STAT_SWITCH=1
 PERF_SWITCH=1
@@ -14,6 +15,7 @@ INC_CFG_DIR=tsgrule/inc/index/
 FULL_CFG_DIR=tsgrule/full/index/
 
 [DYNAMIC]
+###0:location 1:json 2:redis
 MAAT_MODE=2
 STAT_SWITCH=1
 PERF_SWITCH=1

roles/firewall/templates/main.conf.j2

@@ -24,8 +24,8 @@ IP_ADDR_TABLE=TSG_SECURITY_ADDR
 
 [TSG_LOG]
 MODE=1
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1 %}
-NIC_NAME={{ tsg_tun_mode.ethname }}
+NIC_NAME={{ server.ethname }}
 {% else %}
 NIC_NAME={{ nic_mgr.name }}
 {% endif %}

roles/framework/tasks/main.yml

@@ -12,14 +12,14 @@
     packages:
       - /tmp/ansible_deploy/libMESA_field_stat-1.0.1.852c2df-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_field_stat2-2.9.0.16ecf3b-2.el7.x86_64.rpm
-      - /tmp/ansible_deploylibMESA_handle_logger-1.0.9.304259e-2.el7.x86_64.rpm/
+      - /tmp/ansible_deploy/libMESA_handle_logger-1.0.9.304259e-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_htable-3.10.11.6275308-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_prof_load-1.0.5.bf755de-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libWiredLB-2.0.3.c7d131b-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libcjson-1.7.8.542ad7f-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libdocumentanalyze-2.0.4.efdfc29-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/libmaatframe-2.9.2.7519c63-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libmaatframe-3.0.2.dc1fced-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/librulescan-devel-2.2.0.900d2b3-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librulescan-2.2.0.900d2b3-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libwiredcfg-2.0.2.7ce1eea-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm
       - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm

roles/kni/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: "install kni rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/kni-20.06-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/kni-20.07-1.el7.x86_64.rpm
     state: present
 
 - name: Template the kni.conf

roles/kni/templates/kni.conf.j2

@@ -2,8 +2,8 @@
 log_path = ./log/kni/kni.log
 log_level = {{ kni.global.log_level }}
 tfe_node_count = {{ kni.global.tfe_node_count }}
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1 %}
-manage_eth = {{ tsg_tun_mode.ethname }}
+manage_eth = {{ server.ethname }}
 {% else %}
 manage_eth = {{ nic_mgr.name }}
 {% endif %}
@@ -20,26 +20,26 @@ dst_mac_addr = fe:65:b7:03:50:bd
 enabled = 1
 dev_eth_symbol = {{ nic_data_incoming.vf1_name }}
 ip_addr = 192.168.100.1
-{% elif tsg_running_type == 1 %}
+{% elif tsg_running_type == 2 %}
 [tfe0]
-enabled = 1
+enabled = {{ kni.tfe_nodes.tfe0_enabled }}
 dev_eth_symbol = {{ nic_to_tfe.tfe0.name }}
 ip_addr = 192.168.100.2
 
 [tfe1]
-enabled = 1
+enabled = {{ kni.tfe_nodes.tfe1_enabled }}
 dev_eth_symbol = {{ nic_to_tfe.tfe1.name }}
 ip_addr = 192.168.100.3
 
 [tfe2]
-enabled = 1
+enabled = {{ kni.tfe_nodes.tfe2_enabled }}
 dev_eth_symbol = {{ nic_to_tfe.tfe2.name }}
 ip_addr = 192.168.100.4
 {% endif %}
 
 [tfe_cmsg_receiver]
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1%}
-listen_eth = {{ tsg_tun_mode.tun_name }}
+listen_eth = {{ server.tun_name }}
 {% else %}
 listen_eth = {{ nic_inner_ctrl.name }}
 {% endif %}
@@ -47,8 +47,8 @@ listen_port = 2475
 
 [watch_dog]
 switch = {{ kni.watch_dog.switch }}
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1 %}
-listen_eth = {{ tsg_tun_mode.tun_name }}
+listen_eth = {{ server.tun_name }}
 {% else %}
 listen_eth = {{ nic_inner_ctrl.name }}
 {% endif %}

roles/mrzcpd/tasks/main.yml

@@ -6,7 +6,7 @@
 
 - name: "install mrzcpd"
   yum:
-    name: /tmp/ansible_deploy/mrzcpd-4.3.21.26314ca-1.el7.x86_64.rpm
+    name: /tmp/ansible_deploy/mrzcpd-4.3.25.d88306e-1.el7.x86_64.rpm
     state: present
 
 - name: "update sysconfig/mrzcpd"

roles/mrzcpd/templates/mrglobal.conf.ATCA_40G.j2

@@ -1,14 +1,14 @@
 [device]
 device={{nic_data_incoming.vf0_name}},{{ nic_data_incoming.vf1_name }},vxlan_user,vxlan_fwd
 sz_tunnel=8192
-sz_buffer=0
+sz_buffer=32
 
 [device:{{nic_data_incoming.vf0_name}}]
 mtu=4096
 clear_tx_flags=1
 vlan-filter=1
 vlan-strip=1
-vlan-id-allow={{ VlanFlipping.vlanID_1 }},{{ VlanFlipping.vlanID_2 }}
+vlan-id-allow={{ VlanFlipping.vlanID_1 }},{{ VlanFlipping.vlanID_2 }},{{ VlanFlipping.vlanID_3 }},{{ VlanFlipping.vlanID_4 }}
 vlan-pvid=0
 vlan-pvid-mode=2
 hw_strip_crc=1
@@ -22,12 +22,15 @@ vlan-id-allow=4095
 vlan-pvid=0
 vlan-pvid-mode=2
 hw_strip_crc=1
+sz_tunnel=8192
+sz_buffer=0
 
 [service]
 # lcore id for i/o service, use comma to split
 iocore={{ mrzcpd.iocore }}
 distmode=2
 hashmode=0
+idle_threshold=10000
 
 [eal]
 virtaddr=0x7f40c4a00000

roles/mrzcpd/templates/mrtunnat.conf.ATCA_40G.j2

@@ -8,12 +8,17 @@ nr_slots=1048576
 expire_time=60
 reverse_tunnel=0
 use_recent_tunnel=0
+use_link_info_table=1
 use_tuple4_as_sskey=0
 ctrlzone_addr_info_type=2
+idle_threshold=10000
 
 [vlan_flipping]
 enable=1
 c_router_vlan_id_0={{ VlanFlipping.vlanID_1 }}
 i_router_vlan_id_0={{ VlanFlipping.vlanID_2 }}
 en_mac_flipping_0=0
-
+en_mac_flipping_0=0
+c_router_vlan_id_1={{ VlanFlipping.vlanID_3 }}
+i_router_vlan_id_1={{ VlanFlipping.vlanID_4 }}
+en_mac_flipping_1=0

roles/proxy_status/files/proxy-status.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=proxy status
+
+[Service]
+ExecStart=/opt/proxy_status/proxy_start
+ExecStop=/opt/proxy_status/proxy_stop
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

roles/proxy_status/files/proxy_start

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+
+systemctl start tsg-env-tun-mode.service &>/dev/null &
+sleep 2
+systemctl start sapp.service &>/dev/null &
+sleep 5
+systemctl start tfe-env.service &>/dev/null &
+sleep 5
+systemctl start tfe.service &>/dev/null &
+systemctl start certstore.service &>/dev/null &
+systemctl start cert-redis.service &>/dev/null &

roles/proxy_status/files/proxy_status

@@ -0,0 +1,65 @@
+#!/bin/bash
+#
+
+systemctl status tsg-env-tun-mode &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m tsg-env-tun-mode is running \033[0m"
+else
+        echo -e "\033[31m tsg-env-tun-mode is down \033[0m"
+fi
+
+systemctl status mrzcpd &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m mrzcpd is running \033[0m"
+else
+        echo -e "\033[31m mrzcpd is down \033[0m"
+fi
+
+systemctl status mrenv &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m mrenv is running \033[0m"
+else
+        echo -e "\033[31m mrenv is down \033[0m"
+fi
+
+systemctl status mrtunnat &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m mrtunnat is running \033[0m"
+else
+        echo -e "\033[31m mrtunnat is down \033[0m"
+fi
+
+systemctl status sapp &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m sapp is running \033[0m"
+else
+        echo -e "\033[31m sapp is down \033[0m"
+fi
+
+systemctl status tfe-env &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m tfe-env is running \033[0m"
+else
+        echo -e "\033[31m tfe-env is down \033[0m"
+fi
+
+systemctl status tfe &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m tfe is running \033[0m"
+else
+        echo -e "\033[31m tfe is down \033[0m"
+fi
+
+systemctl status certstore &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m certstore is running \033[0m"
+else
+        echo -e "\033[31m certstore is down \033[0m"
+fi
+
+systemctl status cert-redis &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m cert-redis is running \033[0m"
+else
+        echo -e "\033[31m cert-redis is down \033[0m"
+fi

roles/proxy_status/files/proxy_stop

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+
+systemctl stop tsg-env-tun-mode.service &>/dev/null &
+systemctl stop mrzcpd.service &>/dev/null &
+systemctl stop mrtunnat.service &>/dev/null &
+systemctl stop sapp.service &>/dev/null &
+systemctl stop tfe-env.service &>/dev/null &
+systemctl stop tfe.service &>/dev/null &
+systemctl stop certstore.service &>/dev/null &
+systemctl stop cert-redis.service &>/dev/null &
+

roles/proxy_status/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: "create /opt/proxy_status"
+  file:
+    path: /opt/proxy_status
+    state: directory
+
+- name: "copy files"
+  copy:
+    src: "{{ role_path }}/files/" 
+    dest: /opt/proxy_status
+    mode: 0755
+
+- name: "copy proxy-status.service"
+  copy:
+    src: "{{ role_path }}/files/proxy-status.service"
+    dest: "/usr/lib/systemd/system/"   
+    mode: 0755  
+
+- name: "enable proxy-status"
+  systemd:
+    name: proxy-status
+    enabled: yes
+    daemon_reload: yes
+

roles/sapp/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: "install sapp rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/sapp-4.0.14.91cbc1b-x86_64.rpm
+      - /tmp/ansible_deploy/sapp-4.0.18.bb2effd-x86_64...rpm
     state: present
     skip_broken: yes
 

roles/sapp/templates/conflist.inf.j2

@@ -25,5 +25,7 @@
 ./plug/business/fw_dns_plug/fw_dns_plug.inf
 ./plug/business/fw_mail_plug/fw_mail_plug.inf
 ./plug/business/fw_ftp_plug/fw_ftp_plug.inf
+./plug/business/fw_quic_plug/fw_quic_plug.inf
 ./plug/business/tsg_conn_record/tsg_conn_record.inf
+./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
 ./plug/business/capture_packet_plug/capture_packet_plug.inf

roles/sapp/templates/sapp.toml.j2

@@ -9,19 +9,29 @@
 instance_name = "sapp4"
 
 [CPU]
-{% if tsg_running_type == 0 %}
+{% if tsg_access_type == 0 %}
 worker_threads=1
 {% else %}
 worker_threads={{ sapp.worker_threads }}
 {% endif %}
+{% if tsg_access_type == 4 %}
+send_only_threads_max={{ sapp.send_only_threads_max }}
+{% endif %}
 ### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
-{% if tsg_running_type == 0 %}
+{% if tsg_access_type == 0 %}
 bind_mask=[]
 {% else %}
 bind_mask=[{{ sapp.bind_mask }}]
 {% endif %}
 
 [PACKET_IO]
+{% if tsg_access_type == 4 %}
+### note, used to represent inbound or outbound direction value,
+##### because it comes from other device, so it needs to be specified manually,
+##### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
+##### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
+inbound_route_dir={{ sapp.inbound_route_dir }}
+{% endif %}
 ### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
 BSD_packet_filter=""
    
@@ -37,7 +47,7 @@ BSD_packet_filter=""
     [packet_io.internal.interface]
     {% if tsg_access_type == 0 %}
     type=pcap
-    name={{tsg_tun_mode.internal_interface}}
+    name={{server.internal_interface}}
     {% else %}
     type=marsio
     name=vxlan_user
@@ -46,7 +56,7 @@ BSD_packet_filter=""
     [packet_io.external.interface]
     {% if tsg_access_type == 0 %}
     type=pcap
-    name={{tsg_tun_mode.external_interface}}
+    name={{server.external_interface}}
     {% else %}
     type=pcap
     name=lo

roles/telegraf_statistic/templates/telegraf_statistic.conf.j2

@@ -17,7 +17,7 @@
     files = ["stdout", "/tmp/metrics.out"]
        data_format = "json"
  [[outputs.kafka]]
-   brokers = ["{{ log_kafkabrokers.address }}"]
+   brokers = ["192.168.40.186:9092"]
    topic = "TRAFFIC-METRICS-LOG"
     data_format = "json"
  [[outputs.prometheus_client]]

roles/tfe/files/tfe.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Tango Frontend Engine
+Requires=tfe-env.service
+After=tfe-env.service
+
+
+[Service]
+Type=notify
+ExecStart=/opt/tsg/tfe/bin/tfe
+WorkingDirectory=/opt/tsg/tfe/
+TimeoutSec=3600s
+RestartSec=10s
+Restart=always
+LimitNOFILE=524288
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+Delegate=yes
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

roles/tfe/tasks/main.yml

@@ -4,11 +4,17 @@
     src: "{{ role_path }}/files/"
     dest: /tmp/ansible_deploy/
 
+- name: "copy tfe.service to destination server"
+  copy:
+    src: "{{ role_path }}/files/tfe.service"
+    dest: /usr/lib/systemd/system/
+    mode: 0755
+ 
 - name: "install tfe rpms from localhost"
   yum:
     name:
       - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm
-      - /tmp/ansible_deploy/tfe-4.3.4.82f04dc-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tfe-4.3.7.39bff00-1.el7.x86_64.rpm
     state: present
 
 - name: "template tfe-env config"
@@ -31,6 +37,16 @@
     src: "{{ role_path }}/templates/pangu_pxy.conf.j2"
     dest: /opt/tsg/tfe/conf/pangu/pangu_pxy.conf
 
+- name: "create conf/doh/"
+  file:
+    path: /opt/tsg/tfe/conf/doh/ 
+    state: directory
+
+- name: "template the doh.conf"
+  template:
+    src: "{{ role_path }}/templates/doh.conf.j2"
+    dest: /opt/tsg/tfe/conf/doh/doh.conf
+
 - name: "create a override conf - first step, create dir"
   file:
     path: /etc/systemd/system/tfe.service.d/

roles/tfe/templates/doh.conf.j2

@@ -0,0 +1,26 @@
+[doh]
+# default 1
+enable=1
+
+[log]
+# default 10
+# RLOG_LV_DEBUG : 10
+# RLOG_LV_INFO  : 20
+# RLOG_LV_FATAL : 30
+log_level=10
+
+[maat]
+# default TSG_OBJ_APP_ID
+table_appid=TSG_OBJ_APP_ID
+# default TSG_SECURITY_ADDR
+table_addr=TSG_SECURITY_ADDR
+# default TSG_FIELD_DOH_QNAME
+table_qname=TSG_FIELD_DOH_QNAME
+# default TSG_FIELD_HTTP_HOST
+table_host=TSG_FIELD_DOH_HOST
+
+[kafka]
+# default 0
+ENTRANCE_ID=0
+# default 1
+en_sendlog=1

roles/tfe/templates/pangu_pxy.conf.j2

@@ -1,129 +1,107 @@
-[debug]
+[debug]
-log_level=30
+log_level=10
-
+
-[log]
+[log]
-{% if tsg_running_type == 0 %}
+entrance_id=0
-nic_name={{ tsg_tun_mode.ethname }}
+
-{% else %}
+#Addresses of minio. Format is defined by WiredLB.
-nic_name={{ nic_mgr.name }}
+#minio_ip_list=192.168.10.61-64;
-{% endif %}
+minio_ip_list= {{ log_minio.address }}
-entrance_id=0
+minio_listen_port= {{ log_minio.port }}
-device_id_filepath=/opt/tsg/etc/tsg_sn.json
+#Maximum number of connections opened by per host.
-kafka_brokerlist= {{ log_kafkabrokers.address }}
+#MAX_CONNECTION_PER_HOST=1
-kafka_topic=PROXY-EVENT-LOG
+#Maximum number of requests in a pipeline.
-
+#MAX_CNNT_PIPELINE_NUM=20
-#Addresses of minio. Format is defined by WiredLB.
+#Maximum parellel sessions(http and redis) is allowed to open.
-#minio_ip_list=192.168.10.61-64;
+#MAX_CURL_SESSION_NUM=100
-minio_ip_list= {{ log_minio.address }}
+#Maximum time the request is allowed to take(seconds).
-minio_listen_port= {{ log_minio.port }}
+#MAX_CURL_TRANSFER_TIMEOUT_S=0
-#Maximum number of connections opened by per host.
+
-#MAX_CONNECTION_PER_HOST=1
+#Bucket name in minio.
-#Maximum number of requests in a pipeline.
+cache_bucket_name=proxybucket
-#MAX_CNNT_PIPELINE_NUM=20
+#Maximum size of memory used by tango_cache_client. Upload will fail if the current size of memory used exceeds this value.
-#Maximum parellel sessions(http and redis) is allowed to open.
+max_used_memroy_size_mb=5120
-#MAX_CURL_SESSION_NUM=100
+#Default TTL of objects, i.e. the time after which the object will expire(minumun 60s, i.e. 1 minute).
-#Maximum time the request is allowed to take(seconds).
+cache_default_ttl_second=3600
-#MAX_CURL_TRANSFER_TIMEOUT_S=0
+#Whether to hash the object key before cache actions. GET/PUT may be faster if you open it.
-
+cache_object_key_hash_switch=1
-#Bucket name in minio.
+
-cache_bucket_name=proxybucket
+#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
-#Maximum size of memory used by tango_cache_client. Upload will fail if the current size of memory used exceeds this value.
+cache_store_object_way=0
-max_used_memroy_size_mb=5120
+#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
-#Default TTL of objects, i.e. the time after which the object will expire(minumun 60s, i.e. 1 minute).
+redis_cache_object_size=1024000
-cache_default_ttl_second=3600
+#Configs of WiredLB for Minios load balancer.
-#Whether to hash the object key before cache actions. GET/PUT may be faster if you open it.
+#WIREDLB_OVERRIDE=1
-cache_object_key_hash_switch=1
+wiredlb_health_port=42310
-
+#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
-#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
+redis_cluster_ip_list=192.168.10.62-63;
-cache_store_object_way=0
+redis_cluster_port_range=6379
-#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
+#wired load balancer configuration
-redis_cache_object_size=1024000
+
-#Configs of WiredLB for Minios load balancer.
+wiredlb_override=1
-#WIREDLB_OVERRIDE=1
+wiredlb_topic=MinioFileLog
-wiredlb_health_port=42310
+wiredlb_datacenter=k18consul-tse
-#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
+wiredlb_health_port=52102
-redis_cluster_ip_list=192.168.10.62-63;
+wiredlb_group=FileLog
-redis_cluster_port_range=6379
+
-#wired load balancer configuration
+log_fsstat_appname=tango_log_file
-
+log_fsstat_filepath=./tango_log_file.fs
-wiredlb_override=1
+log_fsstat_interval=10
-wiredlb_topic=MinioFileLog
+log_fsstat_trig=1
-wiredlb_datacenter=k18consul-tse
+log_fsstat_dst_ip=10.4.20.202
-wiredlb_health_port=52102
+log_fsstat_dst_port=8125
-wiredlb_group=FileLog
+
-
+[ratelimit]
-log_fsstat_appname=tango_log_file
+enable=0
-log_fsstat_filepath=./tango_log_file.fs
+token_name=ratelimit
-log_fsstat_interval=10
+redis_server={{ maat_redis_server.address }}
-log_fsstat_trig=1
+redis_port={{ maat_redis_server.port }}
-log_fsstat_dst_ip=10.4.20.202
+redis_db_index=6
-log_fsstat_dst_port=8125
+
-[maat]
+[tango_cache]
-# 0:json 1: redis 2: iris
+enable_cache=0
-maat_input_mode=1
+minio_ip_list=192.168.10.61-64;
-table_info=resource/pangu/table_info.conf
+minio_listen_port=9000
-json_cfg_file=resource/pangu/pangu_http.json
+
-stat_file=log/pangu_scan.status
+#max_connection_per_host=1
-full_cfg_dir=pangu_policy/full/index/
+max_cnnt_pipeline_num=20
-inc_cfg_dir=pangu_policy/inc/index/
+#max_curl_session_num=100
-
+
-maat_redis_server={{ maat_redis_server.address }}
+cache_bucket_name=proxybucket
-maat_redis_port_range={{ maat_redis_server.port }}
+max_used_memory_size_mb=10240
-maat_redis_db_index={{ maat_redis_server.db }}
+cache_default_ttl_second=3600
-effect_interval_s=1
+cache_object_key_hash_switch=1
-#accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+
-
+#1-minio，2-redis
-[dynamic_maat]
+#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
-maat_input_mode=1
+cache_store_object_way=0
-table_info=resource/pangu/dynamic_maat_table_info.conf
+#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
-maat_redis_server={{ dynamic_maat_redis_server.address }}
+redis_cache_object_size=102400
-maat_redis_port_range={{ dynamic_maat_redis_server.port }}
+#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
-maat_redis_db_index={{ dynamic_maat_redis_server.db }}
+redis_cluster_ip_list=192.168.10.62-63;
-effect_interval_s=1
+redis_cluster_port_range=6379
-
+#wired load balancer configuration
-[tango_cache]
+wiredlb_override=1
-enable_cache=0
+wiredlb_topic=MinioCache
-minio_ip_list=192.168.10.61-64;
+wiredlb_datacenter=k18consul-tse
-minio_listen_port=9000
+wiredlb_health_port=52101
-
+wiredlb_group=TangoCache
-#max_connection_per_host=1
+
-max_cnnt_pipeline_num=20
+cache_undefined_obj=1
-#max_curl_session_num=100
+query_undefined_obj=0
-
+statsd_server=192.168.10.72
-cache_bucket_name=proxybucket
+statsd_port=8126
-max_used_memory_size_mb=10240
+histogram_bins=0.20,0.40,0.6,0.8
-cache_default_ttl_second=3600
+
-cache_object_key_hash_switch=1
+log_fsstat_appname=tango_cache
-
+log_fsstat_filepath=./tango_cache_client.fs
-#1-minio，2-redis
+log_fsstat_interval=10
-#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
+log_fsstat_trig=1
-cache_store_object_way=0
+log_fsstat_dst_ip=10.4.20.201
-#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
+log_fsstat_dst_port=8125
-redis_cache_object_size=102400
+
-#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
+
-redis_cluster_ip_list=192.168.10.62-63;
+[traffic_mirror]
-redis_cluster_port_range=6379
+table_info=resource/pangu/table_info_traffic_mirror.conf
-#wired load balancer configuration
+stat_file=log/traffic_mirror.status
-wiredlb_override=1
+
-wiredlb_topic=MinioCache
-wiredlb_datacenter=k18consul-tse
-wiredlb_health_port=52101
-wiredlb_group=TangoCache
-
-cache_undefined_obj=1
-query_undefined_obj=0
-statsd_server={{fs_remote.address}}
-statsd_port={{fs_remote.port}}
-histogram_bins=0.20,0.40,0.6,0.8
-
-log_fsstat_appname=tango_cache
-log_fsstat_filepath=./tango_cache_client.fs
-log_fsstat_interval=10
-log_fsstat_trig=1
-log_fsstat_dst_ip=10.4.20.201
-log_fsstat_dst_port=8125
-
-
-[traffic_mirror]
-table_info=resource/pangu/table_info_traffic_mirror.conf
-stat_file=log/traffic_mirror.status

roles/tfe/templates/tfe-env-config.j2

@@ -1,7 +1,7 @@
-{% if tsg_running_type == 0 %}
+{% if tsg_access_type == 4 %}
+TFE_DEVICE_DATA_INCOMING={ nic_data_incoming.vf2_name }}
+{% elif tsg_running_type == 0 %}
 TFE_DEVICE_DATA_INCOMING=tun_kni
-{% elif tsg_access_type == 4 %}
-TFE_DEVICE_DATA_INCOMING={{ nic_data_incoming.vf2_name }}
 {% else %}
 TFE_DEVICE_DATA_INCOMING={{ nic_data_incoming.name }}
 {% endif %}
@@ -14,7 +14,7 @@ TFE_PEER_MAC_DATA_INCOMING=aa:bb:cc:dd:ee:ff
 TFE_LOCAL_IP_DATA_INCOMING=172.16.241.2
 TFE_PEER_IP_DATA_INCOMING=172.16.241.1
 
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1 %}
-TFE_WATCHDOG_DEVICE={{ tsg_tun_mode.tun_name }}
+TFE_WATCHDOG_DEVICE={{ server.tun_name }}
 TFE_WATCHDOG_IP=192.168.100.1
 {% endif %}

roles/tfe/templates/tfe.conf.j2

@@ -1,14 +1,15 @@
 [system]
 nr_worker_threads={{ tfe.nr_threads }}
-enable_breakpad=1
+enable_breakpad=0
 enable_breakpad_upload=0
 breakpad_minidump_dir=/run/tfe/crashreport/
 breakpad_upload_url=http://127.0.0.1:9000/
 disable_coredump=0
 
+
 [kni]
 ip=192.168.100.1
-scm_port=2475
+cmsg_port=2475
 watchdog_switch=1
 watchdog_port=2476
 
@@ -31,8 +32,8 @@ service_cache_expire_seconds=600
 # default 0
 mc_cache_enable=1
 # default eth0
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1 %}
-mc_cache_eth={{ tsg_tun_mode.tun_name }}
+mc_cache_eth={{ server.tun_name }}
 {% else %}
 mc_cache_eth={{ nic_inner_ctrl.name }}
 {% endif %}
@@ -44,19 +45,21 @@ mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
 [key_keeper]
 #Mode: debug - generate cert with ca_path, normal - generate cert with cert store
 #0 on cache 1 off cache
-mode= {{ tfe.keykeeper.mode }}
+mode= normal
 no_cache=0
 cert_store_host= {{ cert_store_server.address }}
 cert_store_port= {{ cert_store_server.port }}
 ca_path=resource/tfe/tango-ca-v3-trust-ca.pem
 untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem
-enable_health_check=0
+# health_check only for "mode=normal"
+# default 1
+enable_health_check=1
 
-[debug]	
+[debug]
 passthrough_all_tcp=0
 
 [traffic_mirror]
-{% if tsg_running_type == 0 %}
+{% if tsg_running_type == 0 or 1 %}
 device=lo
 {% else %}
 device={{ nic_traffic_mirror.name }}
@@ -84,6 +87,45 @@ level=10
 [stat]
 statsd_server={{ fs_remote.address }}
 statsd_port={{ fs_remote.port }}
+statsd_cycle=5
+# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+statsd_format=2
 
 [http]
 loglevel=10
+
+[kafka]
+enable=1
+{% if tsg_running_type == 0 or 1 %}
+nic_name={{ server.ethname }}
+{% else %}
+nic_name={{ nic_mgr.name }}
+{% endif %}
+kafka_brokerlist={{ log_kafkabrokers.address }}
+kafka_topic=PROXY-EVENT-LOG
+device_id_filepath=/opt/tsg/etc/tsg_sn.json
+
+[maat]
+# 0:json 1: redis 2: iris
+maat_input_mode=1
+table_info=resource/pangu/table_info.conf
+json_cfg_file=resource/pangu/pangu_http.json
+stat_file=log/pangu_scan.status
+full_cfg_dir=pangu_policy/full/index/
+inc_cfg_dir=pangu_policy/inc/index/
+
+maat_redis_server={{ maat_redis_server.address }}
+maat_redis_port_range={{ maat_redis_server.port }}
+maat_redis_db_index={{ maat_redis_server.db }}
+effect_interval_s=1
+#accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+accept_path=/opt/tsg/etc/tsg_device_tag.json
+
+[dynamic_maat]
+maat_input_mode=1
+table_info=resource/pangu/dynamic_maat_table_info.conf
+maat_redis_server={{ dynamic_maat_redis_server.address }}
+maat_redis_port_range={{ dynamic_maat_redis_server.port }}
+maat_redis_db_index={{ dynamic_maat_redis_server.db }}
+effect_interval_s=1
+

roles/tsg-env-tun-mode/templates/setup.j2

@@ -1,25 +1,25 @@
 #!/bin/bash
 modprobe 8021q
-vconfig add {{ tsg_tun_mode.ethname }} 100
+vconfig add {{ server.ethname }} 100
-vconfig set_flag {{ tsg_tun_mode.ethname }}.100 1 1
+vconfig set_flag {{ server.ethname }}.100 1 1
-ifconfig {{ tsg_tun_mode.ethname }}.100 192.168.100.1 netmask 255.255.255.0 up
+ifconfig {{ server.ethname }}.100 192.168.100.1 netmask 255.255.255.0 up
 {% if tsg_access_type == 0 %}
-ethtool -K {{ tsg_tun_mode.internal_interface }} tso off
+ethtool -K {{ server.internal_interface }} tso off
-ethtool -K {{ tsg_tun_mode.internal_interface }} gso off
+ethtool -K {{ server.internal_interface }} gso off
-ethtool -K {{ tsg_tun_mode.internal_interface }} gro off
+ethtool -K {{ server.internal_interface }} gro off
-ethtool -K {{ tsg_tun_mode.external_interface }} tso off
+ethtool -K {{ server.external_interface }} tso off
-ethtool -K {{ tsg_tun_mode.external_interface }} gso off
+ethtool -K {{ server.external_interface }} gso off
-ethtool -K {{ tsg_tun_mode.external_interface }} gro off
+ethtool -K {{ server.external_interface }} gro off
 {% elif tsg_access_type == 4 %}
-echo 3 > /sys/class/net/{{ nic_data_incoming.name }}/device/sriov_numvfs
+echo 3 > /sys/class/net/{{ nic_data_incoming.ethname }}/device/sriov_numvfs
-ip link set {{ nic_data_incoming.name }} vf 1 vlan 4095
+ip link set {{ nic_data_incoming.ethname }} vf 1 vlan 4095
-ip link set {{ nic_data_incoming.name }} vf 2 vlan 4095
+ip link set {{ nic_data_incoming.ethname }} vf 2 vlan 4095
-ip link set {{ nic_data_incoming.name }} vf 0 trust on
+ip link set {{ nic_data_incoming.ethname }} vf 0 trust on
-ip link set {{ nic_data_incoming.name }} vf 1 trust on
+ip link set {{ nic_data_incoming.ethname }} vf 1 trust on
-ip link set {{ nic_data_incoming.name }} vf 2 trust on
+ip link set {{ nic_data_incoming.ethname }} vf 2 trust on
-ip link set {{ nic_data_incoming.name }} vf 1 mac 00:0e:c6:d6:72:c1
+ip link set {{ nic_data_incoming.ethname }} vf 1 mac 00:0e:c6:d6:72:c1
-ip link set {{ nic_data_incoming.name }} vf 2 mac fe:65:b7:03:50:bd
+ip link set {{ nic_data_incoming.ethname }} vf 2 mac fe:65:b7:03:50:bd
-ip link set {{ nic_data_incoming.name }} vf 0 spoofchk off
+ip link set {{ nic_data_incoming.ethname }} vf 0 spoofchk off
 ip link set {{ nic_data_incoming.vf0_name }} up
 ip link set {{ nic_data_incoming.vf1_name }} up
 ip link set {{ nic_data_incoming.vf2_name }} up

roles/tsg-env-tun-mode/templates/tsg-env_stop.j2

@@ -1,8 +1,8 @@
 #!/bin/bash
 #
-echo 0 >/sys/class/net/{{ tsg_tun_mode.ethname }}/device/sriov_numvfs
+echo 0 >/sys/class/net/{{ server.ethname }}/device/sriov_numvfs
-ifconfig {{ tsg_tun_mode.ethname }}.100 down
+ifconfig {{ server.ethname }}.100 down
-vconfig rem {{ tsg_tun_mode.ethname }}.100
+vconfig rem {{ server.ethname }}.100
 {% if tsg_access_type == 4 %}
-echo 0 >/sys/class/net/{{ nic_data_incoming.name }}/device/sriov_numvfs
+echo 0 >/sys/class/net/{{ nic_data_incoming.ethname }}/device/sriov_numvfs
 {% endif %}

roles/tsg_device_tag/tasks/main.yml

@@ -0,0 +1,9 @@
+- name: "create /opt/tsg/etc/"
+  file:
+    path: /opt/proxy_status
+    state: directory
+
+- name: "Template tsg_device_tag.json"
+  template:
+    src: "{{ role_path }}/templates/tsg_device_tag.json.j2"
+    dest: /opt/tsg/etc/tsg_device_tag.json

roles/tsg_device_tag/templates/tsg_device_tag.json.j2

@@ -0,0 +1,2 @@
+[MAAT]
+ACCEPT_TAGS={"tags":[{"tag":"device_id","value":"{{ device_id }}"}]}

roles/tsg_master/tasks/main.yml

@@ -6,6 +6,6 @@
 - name: "install tsg_master from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/tsg_master-1.2.8.2aa222c-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_master-3.0.4.40fa047-2.el7.x86_64.rpm
     state: present
     skip_broken: yes