20.11.rc3 rebase version 20.11

# Conflicts:
#	roles/sapp/tasks/main.yml

更新firewall相关RPM包

adc_deploy.yml

@@ -0,0 +1,90 @@
+- hosts: adc_mxn
+  remote_user: root
+  roles:
+    - {role: adc_exporter, tags: adc_exporter}
+    - {role: adc_exporter_proxy, tags: adc_exporter_proxy}
+#    - {role: switch_rule, tags: switch_rule}
+
+- hosts: adc_mcn0
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+    - install_config/group_vars/adc_mcn0.yml
+  roles:
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: sapp, tags: sapp}
+    - {role: tsg_master, tags: tsg_master}
+    - {role: kni, tags: kni}
+    - {role: firewall, tags: firewall}
+#    - tsg_app
+    - {role: http_healthcheck,tags: http_healthcheck}
+    - {role: redis, tags: redis}
+    - {role: cert-redis, tags: cert-redis}
+    - {role: maat-redis, tags: maat-redis, when: deploy_mode == "cluster"}
+    - {role: certstore, tags: certstore}
+    - {role: telegraf_statistic, tags: telegraf_statistic}
+    - {role: app_proto_identify, tags: app_proto_identify}
+    - {role: adc_exporter, tags: adc_exporter}
+#    - {role: switch_control, tags: switch_control}
+    - {role: tsg-env-patch, tags: tsg-env-patch}
+
+- hosts: adc_mcn1
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+    - install_config/group_vars/adc_mcn1.yml
+  roles:
+#    - tsg-env-mcn1
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: tfe, tags: tfe}
+    - {role: adc_exporter, tags: adc_exporter}
+#    - {role: switch_control, tags: switch_control}
+    - {role: tsg-env-patch, tags: tsg-env-patch}
+
+- hosts: adc_mcn2
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+    - install_config/group_vars/adc_mcn2.yml
+  roles:
+#    - tsg-env-mcn2
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: tfe, tags: tfe}
+    - {role: adc_exporter, tags: adc_exporter}
+#    - {role: switch_control, tags: switch_control}
+    - {role: tsg-env-patch, tags: tsg-env-path}
+
+- hosts: adc_mcn3
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+    - install_config/group_vars/adc_mcn3.yml
+  roles:
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: tfe, tags: tfe}
+#    - {role: adc_exporter, tags: adc_exporter}
+    - {role: switch_control, tags: switch_control}
+    - {role: tsg-env-patch, tags: tsg-env-patch}
+    
+- hosts: packet_dump_server
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+  roles:
+    - {role: framework, tags: framework}
+    - {role: packet_dump, tags: packet_dump}
+
+- hosts: app_global
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/app_global.yml
+  roles:
+    - {role: app_global, tags: app_global}

deploy.yml

@@ -1,83 +0,0 @@
-- hosts: adc_mxn
-  remote_user: root
-  roles:
-#    - tsg-env-mxn
-
-- hosts: adc_mcn0
-  remote_user: root
-  vars_files:
-    - install_config/group_vars/adc_global.yml
-    - install_config/group_vars/adc_mcn0.yml
-  roles:
-#    - tsg-env-mcn0
-    - framework
-    - kernel-ml
-    - mrzcpd
-    - sapp
-    - tsg_master
-    - kni
-    - firewall
-    - http_healthcheck
-    - clotho
-    - certstore
-    - cert-redis
-    - telegraf_statistic
-    - tsg_device_tag
-
-- hosts: adc_mcn1
-  remote_user: root
-  vars_files:
-    - install_config/group_vars/adc_global.yml
-    - install_config/group_vars/adc_mcn1.yml
-  roles:
-#    - tsg-env-mcn1
-    - framework
-    - kernel-ml
-    - mrzcpd
-    - tfe
-
-- hosts: adc_mcn2
-  remote_user: root
-  vars_files:
-    - install_config/group_vars/adc_global.yml
-    - install_config/group_vars/adc_mcn2.yml
-  roles:
-#    - tsg-env-mcn2
-    - framework
-    - kernel-ml
-    - mrzcpd
-    - tfe
-
-- hosts: adc_mcn3
-  remote_user: root
-  vars_files:
-    - install_config/group_vars/adc_global.yml
-    - install_config/group_vars/adc_mcn3.yml
-  roles:
-#    - tsg-env-mcn3
-    - framework
-    - kernel-ml
-    - mrzcpd
-    - tfe
-
-- hosts: server-as-tun-mode
-  remote_user: root
-  vars_files:
-    - install_config/group_vars/server_as_tun_mode.yml
-  roles:
-    - kernel-ml
-    - framework
-    - mrzcpd
-    - tsg-env-tun-mode
-    - sapp
-    - tsg_master
-    - kni
-    - firewall
-    - http_healthcheck
-    - clotho
-    - certstore
-    - cert-redis
-    - tfe
-    - telegraf_statistic
-    - proxy_status
-    - tsg_device_tag

install_config/group_vars/adc_global.yml

@@ -1,58 +1,73 @@
 #########################################
 #####1: Inline_device;  2: Allot;  3: ADC_Tun_mode;
-tsg_access_type: 3
+tsg_access_type: 2
 #####2: ADC;
 tsg_running_type: 2
+#####deploy mode: cluster, single
+deploy_mode: "cluster"
+########################################
+#Deploy_finished_reboot
+Deploy_finished_reboot: 0
 
 ########################################
 #IP Config
-maat_redis_server:
+maat_redis_city_server:
-  address: "192.168.40.168"
+  address: "10.4.62.253"
   port: 7002
+
+maat_redis_server:
+  address: "192.168.100.1"
+  port: 7002
+  port_num: 1
   db: 0
 
 dynamic_maat_redis_server:
-  address: "192.168.40.168"
+  address: "192.168.100.1"
   port: 7002
-  db: 0
+  port_num: 1
+  db: 1
 
 cert_store_server:
   address: "192.168.100.1"
   port: 9991
 
 log_kafkabrokers:
-  address: "1.1.1.1:9092,2.2.2.2:9092"
+  address: ['1.1.1.1:9092','2.2.2.2:9092']
 
 log_minio:
-  address: "192.168.40.168;"
+  address: "10.4.62.253"
   port: 9090
 
 #########################################
 #Log Level Config
 #日志等级 10:DEBUG 20:INFO 30:FATAL
-fw_ftp_log_level: 30
+fw_ftp_log_level: 10
-fw_mail_log_level: 30
+fw_mail_log_level: 10
-fw_http_log_level: 30
+fw_http_log_level: 10
-fw_dns_log_level: 30
+fw_dns_log_level: 10
-fw_quic_log_level: 30
+fw_quic_log_level: 10
-capture_packet_log_level: 30
+app_control_log_level: 10
-tsg_log_level: 30
+capture_packet_log_level: 10
-tsg_master_log_level: 30
+tsg_log_level: 10
-kni_log_level: 30
+tsg_master_log_level: 10
-tfe_log_level: 30
+kni_log_level: 10
-tfe_http_log_level: 30
+
-pangu_log_level: 30
+#日志等级 DEBUG INFO FATAL
-doh_log_level: 30
+tfe_log_level: FATAL
-certstore_log_level: 30
+tfe_http_log_level: FATAL
-clotho_log_level: 10
+pangu_log_level: FATAL
+doh_log_level: FATAL
+
+certstore_log_level: FATAL
+packet_dump_log_level: 10
 
 #######################################
 #Sapp Performance Config
 #Sapp工作在ADC计算板0时，建议使用如下30+8的配置，以保证更高的处理性能
 sapp:
-  worker_threads: 30
+  worker_threads: 42
-  send_only_threads_max: 8
+  send_only_threads_max: 1
-  bind_mask: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43
   inbound_route_dir: 1
 
 ########################################
@@ -75,15 +90,35 @@ kni:
 #Tfe Config
 tfe:
   nr_threads: 32
-  mc_cache_eth: lo 
+  mirror_enable: 1
-  keykeeper:
-    no_cache: 0
 
 ########################################
 #Marsio Config
 #marsio工作在ADC计算板时，建议使用如下配置，以保证更高的处理性能
-mrzcpd:
+mcn0_mrzcpd:
-  iocore: 44,45,46,47
+  iocore: 52,53,54,55
+
+mcn123_mrzcpd:
+  iocore: 54,55
 
 mrtunnat:
-  lcore_id: 40,41,42,43
+  lcore_id: 48,49,50,51 
+
+#########################################
+#Tsg_app
+tsg_app_enable: 0
+app_global_ip: "1.1.1.1"
+applog_level: 10
+app_master_log_level: 10
+app_sketch_local_log_level: 10
+app_control_plug_log_level: 10
+
+breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595
+data_center: Kyzylorda
+tsg_master_entrance_id: 9
+nic_mgr: 
+   name: em1
+   
+sapp_prometheus_enable: 1
+sapp_prometheus_port: 9273
+sapp_prometheus_url_path: "/metrics"

install_config/group_vars/adc_mcn0.yml

@@ -1,7 +1,7 @@
 #########################################
 #Mcn0管理口网卡名
 nic_mgr:
-  name: enp6s0
+  name: ens1f3
 
 #########################################
 #Mcn0流量接入网卡，固定配置
@@ -29,9 +29,13 @@ inline_device_config:
 #########################################
 #Allot接入相关配置
 AllotAccess:
-  virturlInterface_1: ens1f2.103
+  #virturlInterface_1: ens1f2.103
-  virturlInterface_2: ens1f2.104
+  #virturlInterface_2: ens1f2.104
-  virturlID_1: 103
+  virturlID_1: 1201
-  virturlID_2: 104
+  virturlID_2: 1202
-  vvipv4_mask: 24
+  virturlID_3: 1301
-  vvipv6_mask: 64
+  virturlID_4: 1302
+  #vvipv4_mask: 24
+  #vvipv6_mask: 64
+
+bladename: mcn0

install_config/group_vars/adc_mcn1.yml

@@ -1,7 +1,7 @@
 #########################################
 #Mcn1管理口网卡名
 nic_mgr:
-  name: enp6s0
+  name: ens1f3
 
 #########################################
 #Mcn1流量接入网卡，固定配置
@@ -15,3 +15,5 @@ nic_inner_ctrl:
 nic_traffic_mirror:
   name: ens1f2
   use_mrzcpd: 1
+
+bladename: mcn1

install_config/group_vars/adc_mcn2.yml

@@ -1,7 +1,7 @@
 #########################################
 #Mcn2管理口网卡名
 nic_mgr:
-  name: enp6s0
+  name: ens8f3
 
 #########################################
 #Mcn2流量接入网卡，固定配置
@@ -15,3 +15,5 @@ nic_inner_ctrl:
 nic_traffic_mirror:
   name: ens8f2
   use_mrzcpd: 1
+  
+bladename: mcn2

install_config/group_vars/adc_mcn3.yml

@@ -1,7 +1,7 @@
 #########################################
 #Mcn3管理口网卡名
 nic_mgr:
-  name: enp6s0
+  name: ens8f3
 
 #########################################
 #Mcn3流量接入网卡，固定配置
@@ -15,3 +15,5 @@ nic_inner_ctrl:
 nic_traffic_mirror:
   name: ens8f2
   use_mrzcpd: 1
+  
+bladename: mcn3

install_config/group_vars/app_global.yml

@@ -0,0 +1,10 @@
+#########################################
+app_sketch_global_log_level: 10
+
+maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+file_stat_ip: "1.1.1.1"
+  

install_config/group_vars/server_as_tun_mode.yml

@@ -1,8 +1,15 @@
 #########################################
-#####0: Pcap;  1: Inline_device;  4: ATCA_Vlan_Flipping;  5:ATCA_VXLAN;
+#####0: Pcap;  1: Inline_device;   5:ATCA_VXLAN;
-tsg_access_type: 1
+tsg_access_type: 0
 #####0: Tun_mode;  1: normal;
-tsg_running_type: 1
+tsg_running_type: 0
+
+#####deploy mode: cluster, single
+deploy_mode: "single"
+
+########################################
+#Deploy_finished_reboot
+Deploy_finished_reboot: 0
 
 ########################################
 #Server Basic Config
@@ -14,25 +21,32 @@ nic_inner_ctrl:
 
 #########################################
 #IP Config
+#maat_redis_city_serve相关配置只在部署集群模式时使用
+maat_redis_city_server:
+  address: ""
+  port: 
+
 maat_redis_server:
-  address: "192.168.40.168"
+  address: "#Bifang IP#"
   port: 7002
+  port_num: 1
   db: 0
 
 dynamic_maat_redis_server:
-  address: "192.168.40.168"
+  address: "#Bifang IP#"
   port: 7002
-  db: 0
+  port_num: 1
+  db: 1
 
 cert_store_server:
   address: "192.168.100.1"
   port: 9991
 
 log_kafkabrokers:
-  address: "1.1.1.1:9092,2.2.2.2:9092"
+  address: ['1.1.1.1:9092','2.2.2.2:9092']
 
 log_minio:
-  address: "192.168.40.168;"
+  address: "10.9.62.253"
   port: 9090
 
 #########################################
@@ -43,24 +57,28 @@ fw_mail_log_level: 10
 fw_http_log_level: 10
 fw_dns_log_level: 10
 fw_quic_log_level: 10
+app_control_log_level: 10
 capture_packet_log_level: 10
 tsg_log_level: 10
 tsg_master_log_level: 10
 kni_log_level: 10
-tfe_log_level: 10
+
-tfe_http_log_level: 10
+#日志等级 DEBUG INFO FATAL
-pangu_log_level: 10
+tfe_log_level: FATAL
-doh_log_level: 10
+tfe_http_log_level: FATAL
+pangu_log_level: FATAL
+doh_log_level: FATAL
+
 certstore_log_level: 10
-clotho_log_level: 10
+packet_dump_log_level: 10
 
 #########################################
 #Sapp Performance Config
 #如果tsg_access_type=0，sapp跑在pcap模式，则以下配置可忽略
 sapp:
-  worker_threads: 16
+  worker_threads: 23
-  send_only_threads_max: 8
+  send_only_threads_max: 1
-  bind_mask: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
   inbound_route_dir: 1
 
 #########################################
@@ -90,9 +108,7 @@ kni:
 #Tfe Config
 tfe:
   nr_threads: 32
-  mc_cache_eth: lo 
+  mirror_enable: 1
-  keykeeper:
-    no_cache: 0
 
 #########################################
 #Marsio Config
@@ -102,6 +118,15 @@ mrzcpd:
 mrtunnat:
   lcore_id: 38
 
+#########################################
+#Tsg_app
+tsg_app_enable: 1
+app_global_ip: "1.1.1.1"
+applog_level: 10
+app_master_log_level: 10
+app_sketch_local_log_level: 10
+app_control_plug_log_level: 10
+
 #########################################
 #ATCA Config
 #下列配置只在tsg_access_type=4时生效
@@ -128,3 +153,14 @@ inline_device_config:
   keepalive_ip: 192.168.1.30
   keepalive_mask: 255.255.255.252
   data_incoming: eth5
+
+#########################################
+#新增配置项,均为默认值不用改
+breakpad_upload_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6
+
+data_center: Beijing
+tsg_master_entrance_id: 0
+
+sapp_prometheus_enable: 1
+sapp_prometheus_port: 9273
+sapp_prometheus_url_path: "/metrics"

install_config/hosts

@@ -4,7 +4,11 @@
 #变量device_id根据设备序号设置即可
 #变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置，其他环境可不填或直接删除变量
 #
-#[server-as-tun-mode]
+#20.09版本新增APP部署
+#[app_global]
+#0.0.0.0
+
+#[server_as_tun_mode]
 #1.1.1.1 device_id=device_1
 #
 #[adc_mxn]
@@ -27,10 +31,15 @@
 #10.3.76.1 device_id=device_1
 #10.3.76.2 device_id=device_2
 
-[server-as-tun-mode]
+#[app_global]
-[adc_mxn]
+#[server_as_tun_mode]
+#broken warning:
+#10.4.52.71
 [adc_mcn0]
 [adc_mcn1]
 [adc_mcn2]
 [adc_mcn3]
+[app_global]
+[server_as_tun_mode]
+
 

roles/adc_exporter/tasks/main.yml

@@ -0,0 +1,72 @@
+- name: "copy freeipmi tools"
+  copy:
+    src: '{{ role_path }}/files/freeipmi-1.5.7-3.el7.x86_64.rpm'
+    dest: /tmp/ansible_deploy/
+
+- name: "Install freeipmi rpm package"
+  yum:
+    name:
+      - "/tmp/ansible_deploy/freeipmi-1.5.7-3.el7.x86_64.rpm"
+    state: present
+
+- name: "mkdir /opt/adc-exporter/"
+  file:
+    path: /opt/adc-exporter/
+    state: directory
+
+- name: "copy node_exporter"
+  copy:
+    src: '{{ role_path }}/files/node_exporter'
+    dest: /opt/adc-exporter/node_exporter
+    mode: 0755
+
+- name: "copy systemd_exporter"
+  copy:
+    src: '{{ role_path }}/files/systemd_exporter'
+    dest: /opt/adc-exporter/systemd_exporter
+    mode: 0755
+
+- name: "copy ipmi_exporter"
+  copy:
+    src: '{{ role_path }}/files/ipmi_exporter'
+    dest: /opt/adc-exporter/ipmi_exporter
+    mode: 0755
+
+- name: "templates adc-exporter-node.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-node.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-node.service
+  tags: template
+
+- name: "templates adc-exporter-systemd.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-systemd.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-systemd.service
+  tags: template
+
+- name: "templates adc-exporter-ipmi.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-ipmi.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-ipmi.service
+  tags: template
+
+- name: 'adc-exporter-node service start'
+  systemd:
+    name: adc-exporter-node
+    enabled: yes
+    daemon_reload: yes
+    state: started
+
+- name: 'adc-exporter-systemd service start'
+  systemd:
+    name: adc-exporter-systemd
+    enabled: yes
+    daemon_reload: yes
+    state: restarted
+
+- name: 'adc-exporter-ipmi service start'
+  systemd:
+    name: adc-exporter-ipmi
+    enabled: yes
+    daemon_reload: yes
+    state: restarted

roles/adc_exporter/templates/adc-exporter-ipmi.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=IPMI Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter/ipmi_exporter
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter/templates/adc-exporter-node.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Node Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter/node_exporter
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter/templates/adc-exporter-systemd.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Systemd Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter/systemd_exporter --web.disable-exporter-metrics
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter_ping/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: "mkdir /opt/adc-exporter/"
+  file:
+    path: /opt/adc-exporter/
+    state: directory
+
+- name: "copy ping_exporter"
+  copy:
+    src: '{{ role_path }}/files/ping_exporter'
+    dest: /opt/adc-exporter/ping_exporter
+    mode: 0755
+
+- name: "templates ping_exporter.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-ping.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-ping.service
+  tags: template
+
+- name: 'adc-exporter-ping service start'
+  systemd:
+    name: adc-exporter-ping
+    enabled: yes
+    daemon_reload: yes
+    state: restarted

roles/adc_exporter_ping/templates/adc-exporter-ping.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Ping Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter/ping_exporter {{ ping_test.target|join(" ")}} --ping.size=512 --ping.interval=0.5s
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter_proxy/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: "mkdir /opt/adc-exporter-proxy/"
+  file:
+    path: /opt/adc-exporter-proxy/
+    state: directory
+
+- name: "copy file to device"
+  copy:
+    src: '{{ role_path }}/files/'
+    dest: /tmp/ansible_deploy/
+    
+- name: "unarchive adc-exporter-proxy(NGINX)"
+  unarchive:
+    src: /tmp/ansible_deploy/adc_exporter_proxy.tar.gz
+    dest: /opt/adc-exporter-proxy
+    remote_src: yes
+
+- name: "templates adc-exporter-proxy.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-proxy.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-proxy.service
+  tags: template
+
+- name: "template nginx.conf"
+  template:
+    src: "{{role_path}}/templates/nginx.conf.j2"
+    dest: /opt/adc-exporter-proxy/adc-exporter-proxy/conf/nginx.conf
+  tags: template
+
+- name: 'adc-exporter-proxy service start'
+  systemd:
+    name: adc-exporter-proxy
+    enabled: yes
+    daemon_reload: yes
+    state: restarted

roles/adc_exporter_proxy/templates/adc-exporter-proxy.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=ADC Exporter Proxy (NGINX) for NEZHA
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy
+ExecReload=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy -s reload
+ExecStop=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy -s stop
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter_proxy/templates/nginx.conf.j2

@@ -0,0 +1,152 @@
+
+user  nobody;
+worker_processes  1;
+daemon off;
+
+error_log  logs/error.log;
+error_log  logs/error.log  notice;
+error_log  logs/error.log  info;
+pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    tcp_nopush     on;
+
+    keepalive_timeout  65;
+    gzip  on;
+
+    server {
+	    listen       9000;
+	    server_name  localhost;
+
+	    location /metrics/blade/mcn0/node_exporter {
+		    proxy_pass   http://192.168.100.1:9100/metrics;
+	    }
+
+	    location /metrics/blade/mcn1/node_exporter {
+		    proxy_pass   http://192.168.100.2:9100/metrics;
+	    }
+
+	    location /metrics/blade/mcn2/node_exporter {
+		    proxy_pass   http://192.168.100.3:9100/metrics;
+	    }
+
+	    location /metrics/blade/mcn3/node_exporter {
+		    proxy_pass   http://192.168.100.4:9100/metrics;
+	    }
+
+	    location /metrics/blade/mxn/node_exporter {
+		    proxy_pass   http://192.168.100.5:9100/metrics;
+	    }
+
+            location /metrics/blade/mcn0/systemd_exporter {
+                    proxy_pass   http://192.168.100.1:9558/metrics;
+            }
+
+            location /metrics/blade/mcn1/systemd_exporter {
+                    proxy_pass   http://192.168.100.2:9558/metrics;
+            }
+
+            location /metrics/blade/mcn2/systemd_exporter {
+                    proxy_pass   http://192.168.100.3:9558/metrics;
+            }
+
+            location /metrics/blade/mcn3/systemd_exporter {
+                    proxy_pass   http://192.168.100.4:9558/metrics;
+            }
+
+	    location /metrics/blade/mcn0/ipmi_exporter {
+		    proxy_pass   http://192.168.100.1:9290/metrics;
+	    }
+
+	    location /metrics/blade/mcn1/ipmi_exporter {
+		    proxy_pass   http://192.168.100.2:9290/metrics;
+	    }
+
+	    location /metrics/blade/mcn2/ipmi_exporter {
+		    proxy_pass   http://192.168.100.3:9290/metrics;
+	    }
+
+	    location /metrics/blade/mcn3/ipmi_exporter {
+		    proxy_pass   http://192.168.100.4:9290/metrics;
+	    }
+
+	    location /metrics/blade/mxn/ipmi_exporter {
+		    proxy_pass   http://192.168.100.5:9290/metrics;
+	    }
+
+            location /metrics/blade/mcn0/certstore {
+                    proxy_pass   http://192.168.100.1:9002/metrics;
+            }
+
+            location /metrics/blade/mcn1/tfe {
+                    proxy_pass   http://192.168.100.2:9001/metrics;
+            }
+
+            location /metrics/blade/mcn2/tfe {
+                    proxy_pass   http://192.168.100.3:9001/metrics;
+            }
+
+            location /metrics/blade/mcn3/tfe {
+                    proxy_pass   http://192.168.100.4:9001/metrics;
+            }
+
+            location /metrics/blade/mcn0/sapp {
+                    proxy_pass   http://192.168.100.1:9273/metrics;
+            }
+
+            location /metrics/blade/mcn0/mrapm_device {
+                    proxy_pass   http://192.168.100.1:8901/metrics;
+            }
+
+	    location /metrics/blade/mcn0/mrapm_stream {
+                    proxy_pass   http://192.168.100.1:8902/metrics;
+            }
+
+	    location /metrics/blade/mcn1/mrapm_device {
+                    proxy_pass   http://192.168.100.2:8901/metrics;
+            }
+
+	    location /metrics/blade/mcn1/mrapm_stream {
+                    proxy_pass   http://192.168.100.2:8902/metrics;
+            }
+
+            location /metrics/blade/mcn2/mrapm_device {
+                    proxy_pass   http://192.168.100.3:8901/metrics;
+            }
+
+	    location /metrics/blade/mcn2/mrapm_stream {
+                    proxy_pass   http://192.168.100.3:8902/metrics;
+            }
+
+            location /metrics/blade/mcn3/mrapm_device {
+                    proxy_pass   http://192.168.100.4:8901/metrics;
+            }
+
+	    location /metrics/blade/mcn3/mrapm_stream {
+                    proxy_pass   http://192.168.100.4:8902/metrics;
+            }
+
+            location /metrics/blade/mcn0/maat_redis {
+                    proxy_pass   http://192.168.100.1:9121/metrics;
+            }
+
+            location /metrics/blade/mcn0/ping_exporter {
+                    proxy_pass   http://192.168.100.1:9427/metrics;
+            }
+    }
+}

roles/app_global/tasks/main.yml

@@ -0,0 +1,36 @@
+- name: "copy app_global rpm to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install app rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/emqx-centos7-v4.1.2.x86_64.rpm
+      - /tmp/ansible_deploy/app-sketch-global-1.0.3.202010.a7b2e40-1.el7.x86_64.rpm
+    state: present
+
+- name: "template the app_sketch_global.conf"
+  template:
+    src: "{{ role_path }}/templates/app_sketch_global.conf.j2"
+    dest: /opt/tsg/app-sketch-global/conf/app_sketch_global.conf
+
+- name: "template the zlog.conf"
+  template:
+    src: "{{ role_path }}/templates/zlog.conf.j2"
+    dest: /opt/tsg/app-sketch-global/conf/zlog.conf
+
+- name: "Start emqx"
+  systemd:
+    name: emqx.service
+    state: started
+    enabled: yes
+    daemon_reload: yes
+    
+
+- name: "Start app-sketch-global"
+  systemd:
+    name: app-sketch-global.service
+    state: started
+    enabled: yes
+    daemon_reload: yes

roles/app_global/templates/app_sketch_global.conf.j2

@@ -0,0 +1,41 @@
+[SYSTEM]
+#1:print on screen, 0:don't
+DEBUG_SWITCH = 1
+RUN_LOG_PATH = "conf/zlog.conf"
+
+[breakpad]
+disable_coredump=0
+enable_breakpad=1
+breakpad_minidump_dir=/tmp/app-sketch-global/crashreport
+enable_breakpad_upload=0
+breakpad_upload_url={{ breakpad_upload_url }}
+
+[CONFIG]
+#Number of running threads
+thread-nu = 1
+timeout = 3600
+address="tcp://127.0.0.1:1883"
+topic_name="APP_SIGNATURE_ID"
+client_name="ExampleClientSub"
+
+[maat]
+# 0:json 1: redis 2: iris
+maat_input_mode=1
+table_info=./resource/table_info.conf
+json_cfg_file=./resource/gtest.json
+stat_file=logs/verify-policy.status
+full_cfg_dir=verify-policy/
+inc_cfg_dir=verify-policy/
+
+maat_redis_server={{ maat_redis_server.address }}
+maat_redis_port_range={{ maat_redis_server.port }}
+maat_redis_db_index={{ maat_redis_server.db }}
+effect_interval_s=1
+accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+
+[stat]
+statsd_server={{ file_stat_ip }}
+statsd_port=8100
+statsd_cycle=5
+# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+statsd_format=2

roles/app_global/templates/zlog.conf.j2

@@ -0,0 +1,12 @@
+[global]
+default format = "%d(%c), %V, %F, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[rules]
+*.fatal        "./logs/error.log.%d(%F)";
+*.{{ app_sketch_global_log_level }}		"./logs/app_sketch_global.log.%d(%F)"
+
+
+

roles/app_proto_identify/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: "copy app_proto_identify rpm package destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install app_proto_identify"
+  yum:
+    name: "{{ app_packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    app_packages:
+      - /tmp/ansible_deploy/app_proto_identify-1.0.7.a5113ba-2.el7.x86_64.rpm

roles/cert-redis/files/cert-redis.conf

@@ -160,7 +160,7 @@ loglevel notice
 # Specify the log file name. Also the empty string can be used to force
 # Redis to log on the standard output. Note that if you use standard
 # output for logging but daemonize, logs will be sent to /dev/null
-logfile "/home/tsg/cert-redis/6379/6379.log"
+#logfile "/opt/tsg/cert-redis/6379/6379.log"
 
 # To enable logging to the system logger, just set 'syslog-enabled' to yes,
 # and optionally update the other syslog parameters to suit your needs.
@@ -244,7 +244,7 @@ dbfilename dump.rdb
 # The Append Only File will also be created inside this directory.
 #
 # Note that you must specify a directory here, not a file name.
-dir /home/tsg/cert-redis/6379/
+#dir /opt/tsg/cert-redis/6379/
 
 ################################# REPLICATION #################################
 

roles/cert-redis/files/cert-redis.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Redis persistent key-value database
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/redis-server /etc/cert-redis.conf --supervised systemd
+ExecStop=/usr/libexec/redis-shutdown cert-redis
+Type=notify
+
+[Install]
+WantedBy=multi-user.target
+

roles/cert-redis/files/cert-redis/cert-redis.service

@@ -1,16 +0,0 @@
-[Unit]
-Description=Redis persistent key-value database
-After=network.target
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-ExecStart=/usr/local/bin/start-cert-redis
-ExecStop=killall redis-server
-Type=forking
-RuntimeDirectory=redis
-RuntimeDirectoryMode=0755
-
-[Install]
-WantedBy=multi-user.target
-

roles/cert-redis/files/cert-redis/install.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-#
-cp -rf redis-server /usr/local/bin/
-cp -rf redis-cli /usr/local/bin
-cp -rf cert-redis.service /usr/lib/systemd/system/
-cp -rf start-cert-redis /usr/local/bin

roles/cert-redis/files/cert-redis/start-cert-redis

@@ -1,4 +0,0 @@
-#!/bin/bash
-#
-
-/usr/local/bin/redis-server /home/tsg/cert-redis/6379/6379.conf

roles/cert-redis/tasks/main.yml

@@ -1,11 +1,11 @@
-- name: "copy cert-redis to destination server"
+- name: "copy cert-redis file to dest"
   copy:
     src: "{{ role_path }}/files/"
-    dest: /home/tsg
+    dest: "{{ item.dest }}"
-    mode: 0755
+    mode: "{{ item.mode }}"
-
+  with_items:
-- name: "install cert-redis"
+    - { src: "cert-redis.conf" , dest: "/etc" , mode: "0644" } 
-  shell: cd /home/tsg/cert-redis;sh install.sh
+    - { src: "cert-redis.service" , dest: "/usr/lib/systemd/system" , mode: "0644" }
 
 - name: "start cert-redis"
   systemd:

roles/certstore/files/memory.conf

@@ -0,0 +1,3 @@
+[Service]
+MemoryLimit=16G
+ExecStartPost=/bin/bash -c "echo 16G > /sys/fs/cgroup/memory/system.slice/certstore.service/memory.memsw.limit_in_bytes"

roles/certstore/tasks/main.yml

@@ -3,20 +3,31 @@
     src: "{{ role_path }}/files/"
     dest: "/tmp/ansible_deploy/"
 
-- name: Ensures /home/tsg exists
+- name: Ensures /opt/tsg exists
-  file: path=/home/tsg state=directory
+  file: path=/opt/tsg state=directory
   tags: mkdir
 
 - name: install certstore
   yum:
     name:
-      - /tmp/ansible_deploy/certstore-2.1.2.20200828.f507b3e-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/certstore-2.1.6.20201215.f2e9ba7-1.el7.x86_64.rpm
     state: present
 
 - name: template certstore configure file
   template:
     src: "{{ role_path }}/templates/cert_store.ini.j2"
-    dest: /home/tsg/certstore/conf/cert_store.ini
+    dest: /opt/tsg/certstore/conf/cert_store.ini
+
+- name: template certstore zlog file
+  template:
+    src: "{{ role_path }}/templates/zlog.conf.j2"
+    dest: /opt/tsg/certstore/conf/zlog.conf
+
+- name: "copy memory limit file to certstore.service.d"
+  copy:
+    src: "{{ role_path }}/files/memory.conf"
+    dest: /etc/systemd/system/certstore.service.d/
+    mode: 0644
 
 - name: "start certstore"
   systemd:

roles/certstore/templates/cert_store.ini.j2

@@ -1,9 +1,15 @@
 [SYSTEM]
 #1:print on screen, 0:don't
 DEBUG_SWITCH = 1
-#10:DEBUG, 20:INFO, 30:FATAL
+RUN_LOG_PATH = "conf/zlog.conf"
-RUN_LOG_LEVEL = {{ certstore_log_level }}
+
-RUN_LOG_PATH = ./logs
+[breakpad]
+disable_coredump=0
+enable_breakpad=1
+breakpad_minidump_dir=/tmp/certstore/crashreport
+enable_breakpad_upload=1
+breakpad_upload_url= {{ breakpad_upload_url }}
+
 [CONFIG]
 #Number of running threads
 thread-nu = 4
@@ -14,7 +20,8 @@ expire_after = 30
 #Local default root certificate path
 local_debug = 1
 ca_path = ./cert/tango-ca-v3-trust-ca.pem
-untrusted_ca_path = ./cert/mesalab-ca-untrust.pem
+untrusted_ca_path = ./cert/tango-ca-v3-untrust-ca.pem
+
 [MAAT]
 #Configure the load mode,
 #0: using the configuration distribution network
@@ -31,18 +38,23 @@ inc_cfg_dir=./rule/inc/index
 full_cfg_dir=./rule/full/index
 #Json file path when json schema is used
 pxy_obj_keyring=./conf/pxy_obj_keyring.json
+
 [LIBEVENT]
 #Local monitor port number, default is 9991
 port = 9991
+
 [CERTSTORE_REDIS]
 #The Redis server IP address and port number where the certificate is stored locally
 ip = 127.0.0.1
 port = 6379
+
 [MAAT_REDIS]
 #Maat monitors the Redsi server IP address and port number
 ip = {{ maat_redis_server.address }}
 port = {{ maat_redis_server.port }}
 dbindex =  {{ maat_redis_server.db }}
 [stat]
-statsd_server=192.168.100.1
+statsd_server=127.0.0.1
-statsd_port=8126
+statsd_port=8100
+statsd_set_prometheus_port=9002
+statsd_set_prometheus_url_path=/metrics

roles/certstore/templates/zlog.conf.j2

@@ -0,0 +1,10 @@
+[global]
+default format = "%d(%c), %V, %F, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[rules]
+*.fatal        "./logs/error.log.%d(%F)";
+*.{{ certstore_log_level }}        "./logs/certstore.log.%d(%F)"
+

roles/clotho/files/clotho.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=clotho
-After=network.target
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-ExecStart=/home/mesasoft/clotho/clotho
-ExecStop=killall clotho
-Type=forking
-
-[Install]
-WantedBy=multi-user.target

roles/clotho/tasks/main.yml

@@ -1,29 +0,0 @@
-- name: "copy clotho rpm to destination server"
-  copy:
-    src: "{{ role_path }}/files/clotho-debug-1.0.0.-1.el7.x86_64.rpm"
-    dest: /tmp/ansible_deploy/
-
-- name: "copy  clotho.service to destination server"
-  copy:
-    src: "{{ role_path }}/files/clotho.service"
-    dest: /usr/lib/systemd/system
-    mode: 0755
-
-- name: "install clotho rpm from localhost"
-  yum:
-    name:
-      - /tmp/ansible_deploy/clotho-debug-1.0.0.-1.el7.x86_64.rpm
-    state: present
-
-- name: "Template the clotho.conf"
-  template:
-    src: "{{ role_path }}/templates/clotho.conf.j2"
-    dest: /home/mesasoft/clotho/conf/clotho.conf 
-  tags: template
- 
-- name: "start clotho"
-  systemd:
-    name: clotho.service
-    enabled: yes
-    daemon_reload: yes
-

roles/clotho/templates/clotho.conf.j2

@@ -1,7 +0,0 @@
-[KAFKA]
-BROKER_LIST={{ log_kafkabrokers.address }}
-
-[SYSTEM]
-NIC_NAME={{ nic_mgr.name }}
-LOG_LEVEL={{ clotho_log_level }}
-LOG_PATH=log/clotho

roles/firewall/tasks/main.yml

@@ -11,22 +11,22 @@
     skip_broken: yes
   vars:
     fw_packages:
-      - /tmp/ansible_deploy/capture_packet_plug-3.0.2.09f193c-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/capture_packet_plug-3.0.6.a2db4a4-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/clotho-debug-1.0.0.-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/dns-2.0.6.d8317e9-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/dns-2.0.9.b639626-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ftp-1.0.6.2710506-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_dns_plug-3.0.0.0a5d574-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_ftp_plug-3.0.0.7a867ea-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_http_plug-3.0.0.1ca1c65-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_http_plug-3.0.4.484b54d-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_mail_plug-3.0.0.3b4e481-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_mail_plug-3.0.2.7401550-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_quic_plug-3.0.0.b06d39c-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_quic_plug-3.0.4.947ef77-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_ssl_plug-3.0.1.7ea9976-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ssl_plug-3.0.6.a121701-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/http-2.0.3.9218b4b-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/mail-1.0.7.9e3be05-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/quic-1.1.6.d6755d8-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ssl-1.0.3.e8482a4-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_record-1.0.2.2afb19a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.12.0ad5a3b-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.v2.0_alpha.af621ca-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_control_plug-1.0.9.97846eb-2.el7.x86_64.rpm
 
 - name: "Template the tsgconf/main.conf"
   template:
@@ -46,3 +46,15 @@
     src: "{{ role_path }}/templates/capture_packet_plug.conf.j2"
     dest: /home/mesasoft/sapp_run/conf/capture_packet_plug.conf
   tags: template
+
+- name: "Template the tsgconf/app_l7_proto_id.conf"
+  template:
+    src: "{{ role_path }}/templates/app_l7_proto_id.conf.j2"
+    dest: /home/mesasoft/sapp_run/tsgconf/app_l7_proto_id.conf
+ 
+- name: "Template the /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf"
+  template:
+    src: "{{ role_path }}/templates/tsg_conn_sketch.inf.j2"
+    dest: /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
+  tags: template
+

roles/firewall/templates/app_l7_proto_id.conf.j2

@@ -0,0 +1,51 @@
+#TYPE：1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET
+#TYPE	FIELD		VALUE
+STRING	UNCATEGORIZED	100
+STRING	UNCATEGORIZED	101
+STRING	UNKNOWN_OTHER	102
+STRING	DNS		103
+STRING	FTP		104
+STRING	FTPS		105
+STRING	HTTP		106
+STRING	HTTPS		107
+STRING	ICMP		108
+STRING	IKE		109
+STRING	MAIL		110
+STRING	IMAPS		111
+STRING	IPSEC		112
+STRING	XMPP		113
+STRING	L2TP		114
+STRING	NTP		115
+STRING	POP3S		117
+STRING	PPTP		118
+STRING	QUIC		119
+STRING	SIP		120
+STRING	SMB		121
+STRING	SMTPS		123
+STRING	SPDY		124
+STRING	SSH		125
+STRING	SSL		126
+STRING	SOCKS		127
+STRING	TELNET		128
+STRING	DHCP		129
+STRING	RADIUS		130
+STRING	OPENVPN		131
+STRING	STUN		132
+STRING	TEREDO		133
+STRING	DTLS		134
+STRING	DoH		135
+STRING	ISAKMP		136
+STRING	MDNS		137
+STRING	NETBIOS		138
+STRING	NETFLOW		139
+STRING	RDP		140
+STRING	RTCP		141
+STRING	RTP		142
+STRING	SLP		143
+STRING	SNMP		144
+STRING	SSDP		145
+STRING	TFTP		146
+STRING	BJNP		147
+STRING	LDAP		148
+STRING	RTMP		149
+STRING	RTSP		150

roles/firewall/templates/capture_packet_plug.conf.j2

@@ -1,25 +1,28 @@
-[MAAT]
+[MAAT]
-MAAT_MODE=2
+MAAT_MODE=2
-#EFFECTIVE_FLAG=
+#EFFECTIVE_FLAG=
-STAT_SWITCH=1
+STAT_SWITCH=1
-PERF_SWITCH=1
+PERF_SWITCH=1
-TABLE_INFO=conf/capture_packet_tableinfo.conf
+TABLE_INFO=conf/capture_packet_tableinfo.conf
-STAT_FILE=capture_packet_maat.status
+STAT_FILE=capture_packet_maat.status
-EFFECT_INTERVAL_S=1
+EFFECT_INTERVAL_S=1
-REDIS_IP={{ maat_redis_server.address }}
+REDIS_IP={{ maat_redis_server.address }}
-REDIS_PORT_NUM=1
+REDIS_PORT_NUM={{ maat_redis_server.port_num }}
-REDIS_PORT={{ maat_redis_server.port }}
+REDIS_PORT={{ maat_redis_server.port }}
-REDIS_INDEX=0
+REDIS_INDEX={{ maat_redis_server.db }}
-JSON_CFG_FILE=conf/capture_packet_maat.json
+JSON_CFG_FILE=conf/capture_packet_maat.json
-INC_CFG_DIR=capture_packet_rule/inc/index/
+INC_CFG_DIR=capture_packet_rule/inc/index/
-FULL_CFG_DIR=capture_packet_rule/full/index/
+FULL_CFG_DIR=capture_packet_rule/full/index/
-
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
-[LOG]
+
-NIC_NAME={{ nic_mgr.name }}
+ACCEPT_TAGS={"tags":[{"tag":"data_center","value":"{{ data_center }}"}]}
-BROKER_LIST={{ log_kafkabrokers.address }}
+
-FIELD_FILE=conf/capture_packet_log_field.conf
+[LOG]
-
+NIC_NAME={{ nic_mgr.name }}
-[SYSTEM]
+BROKER_LIST={{ log_kafkabrokers.address | join(",") }}
-LOG_LEVEL={{ capture_packet_log_level }}
+FIELD_FILE=conf/capture_packet_log_field.conf
-LOG_PATH=./tsglog/capture_packet_plug/capture_packet
+
-
+[SYSTEM]
+LOG_LEVEL={{ capture_packet_log_level }}
+LOG_PATH=./tsglog/capture_packet_plug/capture_packet
+

roles/firewall/templates/maat.conf.j2

@@ -7,12 +7,13 @@ TABLE_INFO=tsgconf/tsg_static_tableinfo.conf
 STAT_FILE=tsg_static_maat.status
 EFFECT_INTERVAL_S=1
 REDIS_IP={{ maat_redis_server.address }}
-REDIS_PORT_NUM=1
+REDIS_PORT_NUM={{ maat_redis_server.port_num }}
-REDIS_PORT=7002
+REDIS_PORT={{ maat_redis_server.port }}
-REDIS_INDEX=0
+REDIS_INDEX={{ maat_redis_server.db }}
 JSON_CFG_FILE=tsgconf/tsg_maat.json
 INC_CFG_DIR=tsgrule/inc/index/
 FULL_CFG_DIR=tsgrule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
 
 [DYNAMIC]
 ###0:location 1:json 2:redis
@@ -23,10 +24,13 @@ TABLE_INFO=tsgconf/tsg_dynamic_tableinfo.conf
 STAT_FILE=tsg_dynamic_maat.status
 EFFECT_INTERVAL_S=1
 REDIS_IP={{ dynamic_maat_redis_server.address }}
-REDIS_PORT_NUM=1
+REDIS_PORT_NUM={{ dynamic_maat_redis_server.port_num }}
-REDIS_PORT=7002
+REDIS_PORT={{ dynamic_maat_redis_server.port }}
-REDIS_INDEX=1
+REDIS_INDEX={{ dynamic_maat_redis_server.db }}
 JSON_CFG_FILE=tsgconf/tsg_maat.json
 INC_CFG_DIR=tsgrule/inc/index/
 FULL_CFG_DIR=tsgrule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
 
+[MAAT]
+ACCEPT_TAGS={"tags":[{"tag":"data_center","value":"{{ data_center }}"}]}

roles/firewall/templates/main.conf.j2

@@ -1,55 +1,64 @@
 [FTP_PLUG]
-LOG_PATH=./tsglog/fw_ftp_plug/fw_ftp_plug
+LOG_PATH="./tsglog/fw_ftp_plug/fw_ftp_plug"
 LOG_LEVEL={{ fw_ftp_log_level }}
 TIMEOUT=600
 
 [MAIL_PLUG]
-LOG_PATH=./tsglog/fw_mail_plug/fw_mail_plug
+LOG_PATH="./tsglog/fw_mail_plug/fw_mail_plug"
 LOG_LEVEL={{ fw_mail_log_level }}
 TIMEOUT=600
 
 [HTTP_PLUG]
-LOG_PATH=./tsglog/fw_http_plug/fw_http_plug
+LOG_PATH="./tsglog/fw_http_plug/fw_http_plug"
 LOG_LEVEL={{ fw_http_log_level }}
 
 [DNS_PLUG]
-LOG_PATH=./tsglog/fw_dns_plug/fw_dns_plug
+LOG_PATH="./tsglog/fw_dns_plug/fw_dns_plug"
 LOG_LEVEL={{ fw_dns_log_level }}
 
 [QUIC_PLUG]
-LOG_PATH=./tsglog/fw_quic_plug/fw_quic_plug
+LOG_PATH="./tsglog/fw_quic_plug/fw_quic_plug"
 LOG_LEVEL={{ fw_quic_log_level }}
 
+[CONTROL_PLUG]
+LOG_PATH="./tsglog/app_control_plug/app_control_plug"
+LOG_LEVEL={{ app_control_log_level }}
+
 [MAAT]
-PROFILE=./tsgconf/maat.conf
+PROFILE="./tsgconf/maat.conf"
-SUBSCRIBER_ID_TABLE=TSG_OBJ_SUBSCRIBER_ID
+SUBSCRIBER_ID_TABLE="TSG_OBJ_SUBSCRIBER_ID"
-CB_SUBSCRIBER_IP_TABLE=TSG_DYN_SUBSCRIBER_IP
+CB_SUBSCRIBER_IP_TABLE="TSG_DYN_SUBSCRIBER_IP"
-IP_ADDR_TABLE=TSG_SECURITY_ADDR
+IP_ADDR_TABLE="TSG_SECURITY_ADDR"
 
 [TSG_LOG]
 MODE=1
-NIC_NAME={{ nic_mgr.name }}
+NIC_NAME="{{ nic_mgr.name }}"
 MAX_SERVICE=1
 LOG_LEVEL={{ tsg_log_level }}
-LOG_PATH=./tsglog/tsglog
+LOG_PATH="./tsglog/tsglog"
-BROKER_LIST={{ log_kafkabrokers.address }}
+BROKER_LIST="{{ log_kafkabrokers.address | join(",") }}"
-COMMON_FIELD_FILE=tsgconf/tsg_log_field.conf
+COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf"
 
 [STATISTIC]
 CYCLE=5
 TELEGRAF_PORT=8100
-TELEGRAF_IP=127.0.0.1
+TELEGRAF_IP="127.0.0.1"
-OUTPUT_PATH=./tsg_statistic.log
+OUTPUT_PATH="./tsg_statistic.log"
-APP_NAME=statistic
+APP_NAME="statistic"
 
 [FIELD_STAT]
 CYCLE=5
 TELEGRAF_PORT=8100
-TELEGRAF_IP=127.0.0.1
+TELEGRAF_IP="127.0.0.1"
-OUTPUT_PATH=./tsg_stat.log
+OUTPUT_PATH="./tsg_stat.log"
-APP_NAME=tsg_master
+APP_NAME="tsg_master"
 
 [SYSTEM]
+ENTRANCE_ID={{ tsg_master_entrance_id }}
 LOG_LEVEL={{ tsg_master_log_level }}
-LOG_PATH=./tsglog/tsg_master
+LOG_PATH="./tsglog/tsg_master"
-POLICY_PRIORITY_LABEL=POLICY_PRIORITY
+POLICY_PRIORITY_LABEL="POLICY_PRIORITY"
+DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'adc' '{print $2}'"
+
+[TSG_CONN_SKETCH]
+log_service=2

roles/firewall/templates/tsg_conn_sketch.inf.j2

@@ -0,0 +1,35 @@
+[PLUGINFO]
+PLUGNAME=TSG_CONN_SKETCH
+SO_PATH=./plug/business/tsg_conn_sketch/tsg_conn_sketch.so
+INIT_FUNC=tsg_conn_record_init
+DESTROY_FUNC=tsg_conn_record_destroy
+
+
+[TCP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_tcp_entry
+
+[TCP_ALL]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_tcpall_entry
+
+[UDP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_udp_entry
+
+[HTTP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_http_entry
+
+[SSL]
+FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL
+FUNC_NAME=tsg_record_ssl_entry
+
+#[DNS]
+#FUNC_FLAG=ALL
+#FUNC_NAME=tsg_record_dns_entry
+
+[MAIL]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_mail_entry
+