update

deploy.yml

@@ -1,3 +1,15 @@
+- hosts:
+    - adc_mcn0
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+  roles:
+    - framework
+    - kernel-ml
+
 - hosts: adc_mxn
   remote_user: root
   roles:
@@ -10,19 +22,18 @@
     - install_config/group_vars/adc_mcn0.yml
   roles:
 #    - tsg-env-mcn0
-    - framework
-    - kernel-ml
     - mrzcpd
     - sapp
     - tsg_master
     - kni
     - firewall
+    - tsg_app
     - http_healthcheck
     - clotho
     - certstore
     - cert-redis
     - telegraf_statistic
-    - tsg_device_tag
+#    - tsg_device_tag
 
 - hosts: adc_mcn1
   remote_user: root
@@ -31,8 +42,6 @@
     - install_config/group_vars/adc_mcn1.yml
   roles:
 #    - tsg-env-mcn1
-    - framework
-    - kernel-ml
     - mrzcpd
     - tfe
 
@@ -43,8 +52,6 @@
     - install_config/group_vars/adc_mcn2.yml
   roles:
 #    - tsg-env-mcn2
-    - framework
-    - kernel-ml
     - mrzcpd
     - tfe
 
@@ -55,11 +62,38 @@
     - install_config/group_vars/adc_mcn3.yml
   roles:
 #    - tsg-env-mcn3
-    - framework
-    - kernel-ml
     - mrzcpd
     - tfe
 
+- hosts: adc_mcn0
+  remote_user: root
+  roles:
+    - tsg-diagnose
+
+- hosts: 
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+  remote_user: root
+  roles:
+    - tsg-diagnose_sync_ca
+    
+- hosts: adc_mcn0
+  remote_user: root
+  roles:
+    - tsg-diagnose_stop_sync
+
+- hosts:
+    - adc_mcn0
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/adc_global.yml
+  roles:
+    - reboot
+
 - hosts: server-as-tun-mode
   remote_user: root
   vars_files:
@@ -73,6 +107,7 @@
     - tsg_master
     - kni
     - firewall
+    - tsg_app
     - http_healthcheck
     - clotho
     - certstore
@@ -80,4 +115,12 @@
     - tfe
     - telegraf_statistic
     - proxy_status
-    - tsg_device_tag
+#    - tsg_device_tag
+    - reboot
+
+- hosts: app_global
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/app_global.yml
+  roles:
+    - app_global

install_config/group_vars/adc_global.yml

@@ -4,6 +4,10 @@ tsg_access_type: 3
 #####2: ADC;
 tsg_running_type: 2
 
+########################################
+#Deploy_finished_reboot
+Deploy_finished_reboot: 1
+
 ########################################
 #IP Config
 maat_redis_server:
@@ -30,29 +34,29 @@ log_minio:
 #########################################
 #Log Level Config
 #日志等级 10:DEBUG 20:INFO 30:FATAL
-fw_ftp_log_level: 30
-fw_mail_log_level: 30
-fw_http_log_level: 30
-fw_dns_log_level: 30
-fw_quic_log_level: 30
-capture_packet_log_level: 30
-tsg_log_level: 30
-tsg_master_log_level: 30
-kni_log_level: 30
-tfe_log_level: 30
-tfe_http_log_level: 30
-pangu_log_level: 30
-doh_log_level: 30
-certstore_log_level: 30
+fw_ftp_log_level: 10
+fw_mail_log_level: 10
+fw_http_log_level: 10
+fw_dns_log_level: 10
+fw_quic_log_level: 10
+capture_packet_log_level: 10
+tsg_log_level: 10
+tsg_master_log_level: 10
+kni_log_level: 10
+tfe_log_level: 10
+tfe_http_log_level: 10
+pangu_log_level: 10
+doh_log_level: 10
+certstore_log_level: 10
 clotho_log_level: 10
 
 #######################################
 #Sapp Performance Config
 #Sapp工作在ADC计算板0时，建议使用如下30+8的配置，以保证更高的处理性能
 sapp:
-  worker_threads: 30
-  send_only_threads_max: 8
-  bind_mask: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37
+  worker_threads: 37
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38
   inbound_route_dir: 1
 
 ########################################
@@ -75,15 +79,22 @@ kni:
 #Tfe Config
 tfe:
   nr_threads: 32
-  mc_cache_eth: lo 
-  keykeeper:
-    no_cache: 0
+  mirror_enable: 1
 
 ########################################
 #Marsio Config
 #marsio工作在ADC计算板时，建议使用如下配置，以保证更高的处理性能
 mrzcpd:
-  iocore: 44,45,46,47
+  iocore: 52,53,54,55
 
 mrtunnat:
-  lcore_id: 40,41,42,43
+  lcore_id: 48,49,50,51 
+
+#########################################
+#Tsg_app
+tsg_app_enable: 0
+app_global_ip: "1.1.1.1"
+applog_level: 10
+app_master_log_level: 10
+app_sketch_local_log_level: 10
+app_control_plug_log_level: 10

install_config/group_vars/adc_mcn0.yml

@@ -1,7 +1,7 @@
 #########################################
 #Mcn0管理口网卡名
 nic_mgr:
-  name: enp6s0
+  name: ens1f3
 
 #########################################
 #Mcn0流量接入网卡，固定配置

install_config/group_vars/adc_mcn1.yml

@@ -1,7 +1,7 @@
 #########################################
 #Mcn1管理口网卡名
 nic_mgr:
-  name: enp6s0
+  name: ens1f3
 
 #########################################
 #Mcn1流量接入网卡，固定配置

install_config/group_vars/adc_mcn2.yml

@@ -1,7 +1,7 @@
 #########################################
 #Mcn2管理口网卡名
 nic_mgr:
-  name: enp6s0
+  name: ens8f3
 
 #########################################
 #Mcn2流量接入网卡，固定配置

install_config/group_vars/adc_mcn3.yml

@@ -1,7 +1,7 @@
 #########################################
 #Mcn3管理口网卡名
 nic_mgr:
-  name: enp6s0
+  name: ens8f3
 
 #########################################
 #Mcn3流量接入网卡，固定配置

install_config/group_vars/app_global.yml

@@ -0,0 +1,10 @@
+#########################################
+app_sketch_global_log_level: 10
+
+maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+file_stat_ip: "1.1.1.1"
+  

install_config/group_vars/server_as_tun_mode.yml

@@ -4,6 +4,10 @@ tsg_access_type: 1
 #####0: Tun_mode;  1: normal;
 tsg_running_type: 1
 
+########################################
+#Deploy_finished_reboot
+Deploy_finished_reboot: 1
+
 ########################################
 #Server Basic Config
 nic_mgr:
@@ -58,9 +62,9 @@ clotho_log_level: 10
 #Sapp Performance Config
 #如果tsg_access_type=0，sapp跑在pcap模式，则以下配置可忽略
 sapp:
-  worker_threads: 16
-  send_only_threads_max: 8
-  bind_mask: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
+  worker_threads: 23
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
   inbound_route_dir: 1
 
 #########################################
@@ -90,9 +94,7 @@ kni:
 #Tfe Config
 tfe:
   nr_threads: 32
-  mc_cache_eth: lo 
-  keykeeper:
-    no_cache: 0
+  mirror_enable: 1
 
 #########################################
 #Marsio Config
@@ -102,6 +104,15 @@ mrzcpd:
 mrtunnat:
   lcore_id: 38
 
+#########################################
+#Tsg_app
+tsg_app_enable: 1
+app_global_ip: "1.1.1.1"
+applog_level: 10
+app_master_log_level: 10
+app_sketch_local_log_level: 10
+app_control_plug_log_level: 10
+
 #########################################
 #ATCA Config
 #下列配置只在tsg_access_type=4时生效

install_config/hosts

@@ -4,6 +4,10 @@
 #变量device_id根据设备序号设置即可
 #变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置，其他环境可不填或直接删除变量
 #
+#20.09版本新增APP部署
+#[app_global]
+#0.0.0.0
+
 #[server-as-tun-mode]
 #1.1.1.1 device_id=device_1
 #
@@ -27,6 +31,7 @@
 #10.3.76.1 device_id=device_1
 #10.3.76.2 device_id=device_2
 
+[app_global]
 [server-as-tun-mode]
 [adc_mxn]
 [adc_mcn0]

roles/app_global/tasks/main.yml

@@ -0,0 +1,28 @@
+- name: "copy app_global rpm to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install app rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/emqx-centos7-v4.1.2.x86_64.rpm
+      - /tmp/ansible_deploy/app-sketch-global-1.0.2.20200918.c702d02-1.el7.x86_64.rpm
+    state: present
+
+- name: "template the app_sketch_global.conf"
+  template:
+    src: "{{ role_path }}/templates/app_sketch_global.conf.j2"
+    dest: /opt/tsg/app-sketch-global/conf/app_sketch_global.conf
+
+- name: "Start emqx"
+  systemd:
+    name: emqx.service
+    state: started
+    enabled: yes
+
+- name: "Start app-sketch-global"
+  systemd:
+    name: app-sketch-global.service
+    state: started
+    enabled: yes

roles/app_global/templates/app_sketch_global.conf.j2

@@ -0,0 +1,36 @@
+[SYSTEM]
+#1:print on screen, 0:don't
+DEBUG_SWITCH = 1
+#10:DEBUG, 20:INFO, 30:FATAL
+RUN_LOG_LEVEL = {{ app_sketch_global_log_level }}
+RUN_LOG_PATH = ./logs
+
+[CONFIG]
+#Number of running threads
+thread-nu = 1
+timeout = 3600
+address="tcp://127.0.0.1:1883"
+topic_name="APP_SIGNATURE_ID"
+client_name="ExampleClientSub"
+
+[maat]
+# 0:json 1: redis 2: iris
+maat_input_mode=1
+table_info=./resource/table_info.conf
+json_cfg_file=./resource/gtest.json
+stat_file=logs/verify-policy.status
+full_cfg_dir=verify-policy/
+inc_cfg_dir=verify-policy/
+
+maat_redis_server={{ maat_redis_server.address }}
+maat_redis_port_range={{ maat_redis_server.port }}
+maat_redis_db_index={{ maat_redis_server.db }}
+effect_interval_s=1
+accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+
+[stat]
+statsd_server={{ file_stat_ip }}
+statsd_port=8100
+statsd_cycle=5
+# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+statsd_format=2

roles/cert-redis/files/cert-redis/6379/6379.conf

@@ -160,7 +160,7 @@ loglevel notice
 # Specify the log file name. Also the empty string can be used to force
 # Redis to log on the standard output. Note that if you use standard
 # output for logging but daemonize, logs will be sent to /dev/null
-logfile "/home/tsg/cert-redis/6379/6379.log"
+logfile "/opt/tsg/cert-redis/6379/6379.log"
 
 # To enable logging to the system logger, just set 'syslog-enabled' to yes,
 # and optionally update the other syslog parameters to suit your needs.
@@ -244,7 +244,7 @@ dbfilename dump.rdb
 # The Append Only File will also be created inside this directory.
 #
 # Note that you must specify a directory here, not a file name.
-dir /home/tsg/cert-redis/6379/
+dir /opt/tsg/cert-redis/6379/
 
 ################################# REPLICATION #################################
 

roles/cert-redis/files/cert-redis/start-cert-redis

@@ -1,4 +1,4 @@
 #!/bin/bash
 #
 
-/usr/local/bin/redis-server /home/tsg/cert-redis/6379/6379.conf
+/usr/local/bin/redis-server /opt/tsg/cert-redis/6379/6379.conf

roles/cert-redis/tasks/main.yml

@@ -1,11 +1,11 @@
 - name: "copy cert-redis to destination server"
   copy:
     src: "{{ role_path }}/files/"
-    dest: /home/tsg
+    dest: /opt/tsg
     mode: 0755
 
 - name: "install cert-redis"
-  shell: cd /home/tsg/cert-redis;sh install.sh
+  shell: cd /opt/tsg/cert-redis;sh install.sh
 
 - name: "start cert-redis"
   systemd:

roles/certstore/tasks/main.yml

@@ -3,20 +3,20 @@
     src: "{{ role_path }}/files/"
     dest: "/tmp/ansible_deploy/"
 
-- name: Ensures /home/tsg exists
-  file: path=/home/tsg state=directory
+- name: Ensures /opt/tsg exists
+  file: path=/opt/tsg state=directory
   tags: mkdir
 
 - name: install certstore
   yum:
     name:
-      - /tmp/ansible_deploy/certstore-2.1.2.20200828.f507b3e-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/certstore-2.1.2.202009.87fcacf-1.el7.x86_64.rpm
     state: present
 
 - name: template certstore configure file
   template:
     src: "{{ role_path }}/templates/cert_store.ini.j2"
-    dest: /home/tsg/certstore/conf/cert_store.ini
+    dest: /opt/tsg/certstore/conf/cert_store.ini
 
 - name: "start certstore"
   systemd:

roles/firewall/tasks/main.yml

@@ -12,10 +12,9 @@
   vars:
     fw_packages:
       - /tmp/ansible_deploy/capture_packet_plug-3.0.2.09f193c-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/clotho-debug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/dns-2.0.6.d8317e9-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/dns-2.0.8.beb1d09-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/ftp-1.0.6.2710506-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_dns_plug-3.0.0.0a5d574-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_dns_plug-3.0.1.453c533-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_ftp_plug-3.0.0.7a867ea-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_http_plug-3.0.0.1ca1c65-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_mail_plug-3.0.0.3b4e481-2.el7.x86_64.rpm
@@ -23,10 +22,9 @@
       - /tmp/ansible_deploy/fw_ssl_plug-3.0.1.7ea9976-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/http-2.0.3.9218b4b-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/mail-1.0.7.9e3be05-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/quic-1.1.6.d6755d8-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ssl-1.0.3.e8482a4-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_record-1.0.2.2afb19a-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.v2.0_alpha.af621ca-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.9.810857d-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-1.0.8.0068bd9-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.5.63c1e51-2.el7.x86_64.rpm
 
 - name: "Template the tsgconf/main.conf"
   template:

roles/framework/tasks/main.yml

@@ -11,18 +11,19 @@
   vars:
     packages:
       - /tmp/ansible_deploy/libMESA_field_stat-1.0.1.852c2df-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/libMESA_field_stat2-2.9.0.16ecf3b-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/libMESA_handle_logger-1.0.9.304259e-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat2-2.9.1.d80b5fb-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_handle_logger-2.0.4.1502550-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_htable-3.10.11.6275308-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_prof_load-1.0.5.bf755de-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libWiredLB-2.0.3.c7d131b-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libcjson-1.7.8.542ad7f-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/libdocumentanalyze-2.0.4.efdfc29-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/libmaatframe-3.0.3.5931b44-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libmaatframe-3.0.7.34de556-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/librulescan-2.2.0.900d2b3-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libwiredcfg-2.0.2.7ce1eea-1.el7.x86_64.rpm
       - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm
       - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libtsglua-1.0.7.0864e4a-2.el7.x86_64.rpm
 
 - name: "mkdir /etc/ld.so.conf.d/"
   file:

roles/kernel-ml/tasks/main.yml

@@ -40,6 +40,6 @@
     - tsg_access_type == 4
     - t_kernel_ml.changed
 
-- name: "reboot"
-  reboot:
-  when: t_kernel_ml.changed
+#- name: "reboot"
+#  reboot:
+#  when: t_kernel_ml.changed

roles/kni/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: "install kni rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/kni-20.07-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/kni-20.09-1.el7.x86_64.rpm
     state: present
 
 - name: Template the kni.conf

roles/kni/templates/kni.conf.j2

@@ -81,3 +81,55 @@ remote_port = 8100
 local_path = ./fs2_kni.status
 stat_cycle = 1
 print_mode = 1
+
+[ssl_dynamic_bypass]
+enabled = 1
+
+#kni dynamic bypass
+[traceid2sslinfo_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 1
+mho_mutex_num = 160
+mho_hash_slot_size = 80000
+mho_hash_max_element_num = 320000
+mho_expire_time = 300
+mho_eliminate_type = FIFO
+
+[sslinfo2bypass_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 1
+mho_mutex_num = 160
+mho_hash_slot_size = 640000
+mho_hash_max_element_num = 2560000
+mho_expire_time = 300
+mho_eliminate_type = FIFO
+
+[proxy_tcp_option]
+enabled = 1
+maat_table_compile = PXY_TCP_OPTION_COMPILE
+maat_table_addr = PXY_TCP_OPTION_ADDR
+maat_table_fqdn = PXY_TCP_OPTION_SERVER_FQDN
+enable_override = 0
+client_tcp_maxseg_enable = 0
+client_tcp_maxseg = 1460
+client_tcp_nodelay =  1
+client_tcp_ttl = 70
+client_tcp_keepalive_enable = 1
+client_tcp_keepalive_keepcnt = 8
+client_tcp_keepalive_keepidle = 30
+client_tcp_keepalive_keepintvl = 15
+client_tcp_user_timeout = 600
+server_tcp_maxseg_enable = 0
+server_tcp_maxseg = 1460
+server_tcp_nodelay = 1
+server_tcp_ttl = 75
+server_tcp_keepalive_enable = 1
+server_tcp_keepalive_keepcnt = 8
+server_tcp_keepalive_keepidle = 30
+server_tcp_keepalive_keepintvl = 15
+server_tcp_user_timeout = 600
+bypass_duplicated_packet = 0
+tcp_passthrough = 0
+
+[share_session_attribute]
+SESSION_ATTRIBUTE_LABEL=TSG_MASTER_INTERNAL_LABEL

roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2

@@ -10,7 +10,7 @@ jumbo_frame=1
 max_rx_pkt_len=15360
 clear_tx_flags=1
 vlan-filter=1
-vlan-id-allow=1000,1001
+vlan-id-allow=1000,1001,4000,4001
 
 [device:{{nic_to_tfe.tfe0.name}}]
 jumbo_frame=1

roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2

@@ -16,3 +16,6 @@ enable=1
 c_router_vlan_id_0=1000
 i_router_vlan_id_0=1001
 en_mac_flipping_0=0
+c_router_vlan_id_1=4000
+i_router_vlan_id_1=4001
+en_mac_flipping_1=0

roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2

@@ -8,7 +8,7 @@ jumbo_frame=1
 max_rx_pkt_len=15360
 clear_tx_flags=1
 vlan-filter=1
-vlan-id-allow=1000,1001,2000,2001
+vlan-id-allow=1000,1001,2000,2001,4000,4001
 vlan-pvid=0
 vlan-pvid-mode=2
 promisc=1

roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2

@@ -19,3 +19,6 @@ en_mac_flipping_0=0
 c_router_vlan_id_1=2000
 i_router_vlan_id_1=2001
 en_mac_flipping_1=0
+c_router_vlan_id_2=4000
+i_router_vlan_id_2=4001
+en_mac_flipping_2=0

roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2

@@ -8,7 +8,7 @@ jumbo_frame=1
 max_rx_pkt_len=15360
 clear_tx_flags=1
 vlan-filter=1
-vlan-id-allow={{ AllotAccess.virturlID_1 }},{{ AllotAccess.virturlID_2 }}
+vlan-id-allow={{ AllotAccess.virturlID_1 }},{{ AllotAccess.virturlID_2 }},4000,4001,1000,1001
 vlan-pvid=0
 vlan-pvid-mode=2
 promisc=1

roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2

@@ -16,4 +16,10 @@ enable=1
 c_router_vlan_id_0={{ AllotAccess.virturlID_1 }}
 i_router_vlan_id_0={{ AllotAccess.virturlID_2 }}
 en_mac_flipping_0=1
+c_router_vlan_id_1=1000
+i_router_vlan_id_1=1001
+en_mac_flipping_1=0
+c_router_vlan_id_2=4000
+i_router_vlan_id_2=4001
+en_mac_flipping_2=0
 

roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2

@@ -1,5 +1,5 @@
 [device]
-device=fake
+device={{nic_traffic_mirror.name}}
 sz_tunnel=8192
 sz_buffer=0
 

roles/reboot/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: "reboot"
+  reboot:
+  when: Deploy_finished_reboot == 1

roles/sapp/tasks/main.yml

@@ -4,10 +4,16 @@
     src: "{{ role_path }}/files/"
     dest: /tmp/ansible_deploy/
 
+- name: "copy maat_redis_tool to destination server"
+  copy:
+    src: "{{ role_path }}/files/maat_redis_tool"
+    dest: /usr/local/bin
+    mode: 0755
+
 - name: "install sapp rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/sapp-4.0.20.b59c12a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/sapp-4.1.7.4f2839a-2.el7.x86_64.rpm
     state: present
     skip_broken: yes
 

roles/sapp/templates/conflist.inf.j2

@@ -10,6 +10,9 @@
 #./plug/platform/http_healthcheck/http_healthcheck.inf
 {% endif %}
 ./plug/platform/tsg_master/tsg_master.inf
+{% if tsg_app_enable == 1 %}
+./plug/platform/app_master/app_master.inf
+{% endif %}
 
 [protocol]
 ./plug/protocol/ssl/ssl.inf
@@ -27,6 +30,10 @@
 ./plug/business/fw_mail_plug/fw_mail_plug.inf
 ./plug/business/fw_ftp_plug/fw_ftp_plug.inf
 ./plug/business/fw_quic_plug/fw_quic_plug.inf
-./plug/business/tsg_conn_record/tsg_conn_record.inf
 ./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
 ./plug/business/capture_packet_plug/capture_packet_plug.inf
+{% if tsg_app_enable == 1 %}
+./plug/business/app_sketch_local/app_sketch_local.inf
+./plug/business/app_control_plug/app_control_plug.inf
+./plug/business/app_proto_identify/app_proto_identify.inf
+{% endif %}

roles/sapp/templates/project_list.conf.j2

@@ -4,4 +4,17 @@ tcp_deduce_flow_stat    struct
 POLICY_PRIORITY	struct
 ESTABLISH_LATENCY	long
 MAIL_IDENTIFY	int
-
+TSG_MASTER_INTERNAL_LABEL	struct
+APP_ID_LABEL	struct
+BASIC_PROTO_LABEL	struct
+USER_DEFINED_ATTRIBUTE	struct
+SKETCH_TRANS_LAYER_CTX_LABEL    struct
+SKETCH_PROTO_CTX_LABEL   struct
+common_link_info_c2s	struct
+common_link_info_s2c	struct
+common_link_info struct
+JA3_FINGERPRINT_LABEL	struct
+DKPT_PRO_V2	struct
+DPKT_PROJECT_V2	struct
+PPROJECT_PRO_V2	struct
+DPKT_BHSTAT_PROJECT	struct

roles/sapp/templates/sapp.toml.j2

@@ -14,9 +14,7 @@ worker_threads=1
 {% else %}
 worker_threads={{ sapp.worker_threads }}
 {% endif %}
-{% if tsg_access_type == 4 %}
 send_only_threads_max={{ sapp.send_only_threads_max }}
-{% endif %}
 ### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
 {% if tsg_access_type == 0 %}
 bind_mask=[]

roles/tfe/tasks/main.yml

@@ -14,7 +14,7 @@
   yum:
     name:
       - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm
-      - /tmp/ansible_deploy/tfe-4.3.9.4d7957e-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tfe-4.3.10.fb02543-1.el7.x86_64.rpm
     state: present
 
 - name: "template tfe-env config"

roles/tfe/templates/doh.conf.j2

@@ -23,4 +23,5 @@ table_host=TSG_FIELD_DOH_HOST
 # default 0
 ENTRANCE_ID=0
 # default 1
+# if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1
 en_sendlog=1

roles/tfe/templates/future.conf.j2

@@ -1,5 +1,9 @@
 [STAT]
 no_stats=0
-statsd_server=127.0.0.1
+statsd_server=192.168.100.1
 statsd_port=8100
 histogram_bins=0.50,0.80,0.9,0.95
+statsd_cycle=5
+# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+statsd_format=2
+print_diff=1

roles/tfe/templates/tfe.conf.j2

@@ -1,76 +1,128 @@
 [system]
 nr_worker_threads={{ tfe.nr_threads }}
-enable_breakpad=0
-enable_breakpad_upload=0
-breakpad_minidump_dir=/run/tfe/crashreport/
-breakpad_upload_url=http://127.0.0.1:9000/
-disable_coredump=0
+enable_kni_v1=0
+enable_kni_v2=1
 
+# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
+disable_coredump=0
+enable_breakpad=1
+enable_breakpad_upload=0
+breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025
+# must be /run/tfe/crashreport，due to tmpfile limit
+breakpad_minidump_dir=/run/tfe/crashreport
+
+# ask for at least (1 + nr_worker_threads) masks
+# the first  mask for acceptor thread
+# the others mask for worker   thread
+enable_cpu_affinity=0
+cpu_affinity_mask=1-9
+# LEAST_CONN = 0; ROUND_ROBIN = 1
+load_balance=1
 
 [kni]
+# kni v1
+#uxdomain=/var/run/.tfe_kni_acceptor_handler
+# kni v2
+#scm_socket_file=/var/run/.tfe_kmod_scm_socket
+
+# send cmsg
+send_switch=1
 ip=192.168.100.1
 cmsg_port=2475
+
+# watch dog
 watchdog_switch=1
 watchdog_port=2476
 
 [ssl]
 ssl_max_version=tls13
 ssl_min_version=ssl3
-no_session_cache=0
+ssl_compression=1
+no_ssl2=1
+no_ssl3=0
+no_tls10=0
+no_tls11=0
+no_tls12=0
+default_ciphers=ALL:-aNULL
+no_cert_verify=0
+
+# session ticket
 no_session_ticket=0
-log_master_key=0
-trusted_cert_load_local=1
-trusted_cert_file=resource/tfe/tls-ca-bundle.pem
-trusted_cert_dir=resource/tfe/trusted_storage
-key_log_file=log/sslkeylog.log
-no_alpn=0
 stek_group_num=4
 stek_rotation_time=3600
-service_cache_expire_seconds=600
 
-# SSL mid cert cache
-# default 0
+# session cache
+no_session_cache=0
+session_cache_slots=4194304
+session_cache_expire_seconds=1800
+
+# service cache
+service_cache_slots=4194304
+service_cache_expire_seconds=300
+service_cache_fail_as_pinning_cnt=4
+service_cache_fail_as_proto_err_cnt=5
+service_cache_succ_as_app_not_pinning_cnt=0
+service_cache_fail_time_window=30
+
+# cert
+check_cert_crl=0
+{% if tsg_running_type == 2 %}
+trusted_cert_load_local=1
+#trusted_cert_file=resource/tfe/tls-ca-bundle.pem
+trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
+{% else %}
+trusted_cert_load_local=0
+trusted_cert_file=resource/tfe/tls-ca-bundle.pem
+#trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
+{% endif %}
+trusted_cert_dir=resource/tfe/trusted_storage
+
+# master key
+log_master_key=0
+key_log_file=log/sslkeylog.log
+
+# mid cert cache
 mc_cache_enable=1
-# default eth0
-mc_cache_eth={{ nic_inner_ctrl.name }}
-# default NULL
+mc_cache_eth={{ nic_mgr.name }}
 mc_cache_broker_list={{ log_kafkabrokers.address }}
-# default PXY-EXCH-INTERMEDIA-CERT
 mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
 
 [key_keeper]
 #Mode: debug - generate cert with ca_path, normal - generate cert with cert store
 #0 on cache 1 off cache
-mode= normal
 no_cache=0
+mode=normal
 cert_store_host={{ cert_store_server.address }}
 cert_store_port={{ cert_store_server.port }}
 ca_path=resource/tfe/tango-ca-v3-trust-ca.pem
 untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem
-# health_check only for "mode=normal"
-# default 1
+hash_slot_size=131072
+hash_expire_seconds=300
+cert_expire_time=24
+
+# health_check only for "mode=normal" default 1
 enable_health_check=1
 
 [debug]
+# 1 : enforce tcp passthrough
+# 0 : Whether to passthrough depends on the tcp_options in cmsg
 passthrough_all_tcp=0
 
-[traffic_mirror]
-{% if tsg_running_type != 2 %}
-device=lo
-type=0
-{% else %}
-device={{ nic_traffic_mirror.name }}
-type=1
-{% endif %}
-
-
 [ratelimit]
-#read_rate=200000
-#read_burst=200000
-#write_rate=200000
-#write_burst=200000
+read_rate=0
+read_burst=0
+write_rate=0
+write_burst=0
 
 [tcp]
+# read rcv_buff/snd_buff options from tfe conf
+sz_rcv_buffer=-1
+sz_snd_buffer=-1
+
+# 1 : use tcp_options in tfe.conf
+# 0 : use tcp_options in cmsg
+enable_overwrite=0
+tcp_nodelay=1
 so_keepalive=1
 tcp_keepcnt=8
 tcp_keepintvl=15
@@ -81,20 +133,36 @@ tcp_ttl_downstream=70
 
 [log]
 level={{ tfe_log_level }}
+location=log/tfe.log
 
 [stat]
-statsd_server=127.0.0.1
+statsd_server=192.168.100.1
 statsd_port=8100
 statsd_cycle=5
-# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
 statsd_format=2
+histogram_bins=0.5,0.8,0.9,0.95
 
 [http]
 loglevel={{ tfe_http_log_level }}
 
+[traffic_mirror]
+{% if tsg_running_type != 2 %}
+enable={{ tfe.mirror_enable }}
+device=lo
+# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
+type=0
+{% else %}
+enable={{ tfe.mirror_enable }}
+device={{ nic_traffic_mirror.name }}
+# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
+type=1
+{% endif %}
+
+
 [kafka]
 enable=1
-nic_name={{ nic_mgr.name }}
+NIC_NAME={{ nic_mgr.name }}
 kafka_brokerlist={{ log_kafkabrokers.address }}
 kafka_topic=PROXY-EVENT-LOG
 device_id_filepath=/opt/tsg/etc/tsg_sn.json
@@ -102,24 +170,29 @@ device_id_filepath=/opt/tsg/etc/tsg_sn.json
 [maat]
 # 0:json 1:redis 2:iris
 maat_input_mode=1
+stat_switch=1
+perf_switch=1
 table_info=resource/pangu/table_info.conf
-json_cfg_file=resource/pangu/pangu_http.json
-stat_file=log/pangu_scan.status
-full_cfg_dir=pangu_policy/full/index/
-inc_cfg_dir=pangu_policy/inc/index/
+accept_path=/opt/tsg/etc/tsg_device_tag.json
+stat_file=log/pangu_scan.fs2
+effect_interval_s=1
+deferred_load_on=0
 
+# Pangu uses accept_tags to support the effective range of the device.
+# Traffic mirroring does not need to support the effective range of the device,
+# but pangu and traffic mirroring use the same maat configuration file.
+# Therefore, there is no need to set accept_tags in tfe.conf,
+# just set accept_tags in the tfe_resource_init() code
+# accept_tags={"tags":[{"tag":"device_id","value":"device_1"}]}
+
+# json mode conf iterm
+json_cfg_file=resource/pangu/pangu_http.json
+
+# redis mode conf iterm
 maat_redis_server={{ maat_redis_server.address }}
 maat_redis_port_range={{ maat_redis_server.port }}
 maat_redis_db_index={{ maat_redis_server.db }}
-effect_interval_s=1
-#accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
-accept_path=/opt/tsg/etc/tsg_device_tag.json
-
-[dynamic_maat]
-maat_input_mode=1
-table_info=resource/pangu/dynamic_maat_table_info.conf
-maat_redis_server={{ dynamic_maat_redis_server.address }}
-maat_redis_port_range={{ dynamic_maat_redis_server.port }}
-maat_redis_db_index={{ dynamic_maat_redis_server.db }}
-effect_interval_s=1
 
+# iris mode conf iterm
+full_cfg_dir=pangu_policy/full/index/
+inc_cfg_dir=pangu_policy/inc/index/

roles/tsg-diagnose/tasks/main.yml

@@ -0,0 +1,38 @@
+- name: "Tsg-diagnose:copy file to device"
+  copy:
+    src: '{{ role_path }}/files/'
+    dest: /tmp/ansible_deploy/
+    
+- name: "unarchive install_docker.zip"
+  unarchive:
+    src: /tmp/ansible_deploy/install_docker.zip
+    dest: /tmp/ansible_deploy/
+    remote_src: yes
+
+- name: "exec docker install shell"
+  shell: cd /tmp/ansible_deploy/install_docker; sh setup_docker.sh
+
+- name: 'Docker service start and enable'
+  systemd:
+    name: docker
+    enabled: yes
+    state: started
+    daemon_reload: yes
+
+- name: "Install tsg-diagnose rpm package"
+  yum:
+    name:
+      - "/tmp/ansible_deploy/tsg-diagnose-20.09-1.el7.x86_64.rpm"
+    state: present
+  
+- name: "tsg-diagnose init certs"
+  shell: /bin/sh /opt/tsg/tsg-diagnose/deploy/init_certs/init_badssl_certs.sh
+
+- name: 'Tsg-diagnose service start'
+  systemd:
+    name: tsg-diagnose
+    enabled: yes
+    daemon_reload: yes
+
+- name: "tsg-diagnose init rsync deamon"
+  shell: /bin/sh /opt/tsg/tsg-diagnose/deploy/rsync/init_rsyncd.sh

roles/tsg-diagnose_stop_sync/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: "tsg-diagnose:  stop rsync deamon process"
+  shell: killall -9 rsync
+

roles/tsg-diagnose_sync_ca/tasks/main.yml

@@ -0,0 +1,6 @@
+- name: "tsg-diagnose: rsync badssl ca certs"
+  shell: rsync -avzP --delete 192.168.100.1::blade0toother /tmp/sync/
+
+- name: "tsg-diagnose: add badssl ca file to tfe tls-ca-bundle"
+  shell: cat  /tmp/sync/ca-root.crt >> /opt/tsg/tfe/resource/tfe/tsg_diagnose_ca.pem
+

roles/tsg_app/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+- name: "copy tsg_app rpms to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install tsg_app packages"
+  yum:
+    name: "{{ app_packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    app_packages:
+      - /tmp/ansible_deploy/app_master-1.0.5.5a4fb22-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_control_plug-1.0.3.447fc53-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_proto_identify-1.0.3.6c893f2-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_sketch_local-1.0.4.0edaf58-2.el7.x86_64.rpm
+  when: tsg_app_enable == 1
+
+- name: "mkdir appconf"
+  file:
+    path: /home/mesasoft/sapp_run/appconf
+    state: directory
+  when: tsg_app_enable == 1
+
+- name: "Template the appconf/main.conf"
+  template:
+    src: "{{ role_path }}/templates/main.conf.j2"
+    dest: /home/mesasoft/sapp_run/appconf/main.conf
+  tags: template
+  when: tsg_app_enable == 1
+
+- name: "Template the appconf/maat.conf"
+  template:
+    src: "{{ role_path }}/templates/maat.conf.j2"
+    dest: /home/mesasoft/sapp_run/appconf/maat.conf
+  tags: template
+  when: tsg_app_enable == 1

roles/tsg_app/templates/maat.conf.j2

@@ -0,0 +1,34 @@
+[APP_SIGNATURE_MAAT]
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=appconf/app_id_tableinfo.conf
+STAT_FILE=app_id_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP={{ maat_redis_server.address }}
+REDIS_PORT_NUM=1
+REDIS_PORT={{ maat_redis_server.port }}
+REDIS_INDEX={{ maat_redis_server.db }}
+JSON_CFG_FILE=appconf/app_id_maat.json
+INC_CFG_DIR=apprule/inc/index/
+FULL_CFG_DIR=apprule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/app/etc/app_device_tag.json
+
+[APP_ACTION_MAAT]
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=appconf/app_action_tableinfo.conf
+STAT_FILE=app_action_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP={{ maat_redis_server.address }}
+REDIS_PORT_NUM=1
+REDIS_PORT={{ maat_redis_server.port }}
+REDIS_INDEX={{ maat_redis_server.db }}
+JSON_CFG_FILE=appconf/app_action_maat.json
+INC_CFG_DIR=apprule/inc/index/
+FULL_CFG_DIR=apprule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
+
+[MAAT]
+ACCEPT_TAGS={"tags":[{"tag":"device_id","value":"device_1"}]}

roles/tsg_app/templates/main.conf.j2

@@ -0,0 +1,39 @@
+[FEEDBACK]
+QOS=1
+PUBLISH_TOPIC=APP_SIGNATURE_ID
+#CLIENT_ID=
+BROKER_LIST=tcp://{{ app_global_ip }}:1883
+
+[LUA]
+ENABLE=1
+
+[MAAT]
+PROFILE=./appconf/maat.conf
+
+[APP_LOG]
+MODE=1
+LOG_LEVEL={{ applog_level }}
+LOG_PATH=./applog/applog
+BROKER_LIST={{ log_kafkabrokers.address }}
+COMMON_FIELD_FILE=appconf/app_log_field.conf
+
+[FIELD_STAT]
+CYCLE=5
+TELEGRAF_PORT=8100
+TELEGRAF_IP=127.0.0.1
+OUTPUT_PATH=./app_stat.log
+APP_NAME=app_master
+
+[SYSTEM]
+LOG_LEVEL={{ app_master_log_level }}
+LOG_PATH=./applog/app_master
+NIC_NAME={{ nic_mgr.name }}
+
+[APP_SKETCH_LOCAL]
+LOG_LEVEL={{ app_sketch_local_log_level }}
+LOG_PATH=./applog/app_sketch_local/app_sketch_local
+
+[CONTROL_PLUG]
+LOG_LEVEL={{ app_control_plug_log_level }}
+LOG_PATH=./applog/app_control_plug/app_control_plug
+

roles/tsg_master/tasks/main.yml

@@ -6,6 +6,6 @@
 - name: "install tsg_master from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/tsg_master-3.1.2.7002e1b-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_master-3.2.9.d1a6f00-2.el7.x86_64.rpm
     state: present
     skip_broken: yes

uninstall/roles/backup_framework_config/tasks/main.yml

@@ -0,0 +1,21 @@
+- name: "create backup_dest_path"
+  file:
+    path: "{{ backup_dest_path }}"
+    state: directory
+  ignore_errors: true
+
+- name: "optMESA_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/optMESA_{{ uninstall_version }}_{{ date }}.zip"
+  register: optMESA_directory
+  ignore_errors: true
+
+- name: "backup /opt/MESA to destination path"
+  archive:
+    path: /opt/MESA
+    dest: "{{ backup_dest_path }}/optMESA_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - optMESA_directory.rc != 0 
+    - backup.framework == 1
+  ignore_errors: true
+

uninstall/roles/backup_marsio_config/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: "create backup_dest_path"
+  file:
+    path: "{{ backup_dest_path }}"
+    state: directory
+  ignore_errors: true
+
+- name: "mrzcpd_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/mrzcpd_{{ uninstall_version }}_{{ date }}.zip"
+  register: mrzcpd_directory
+  ignore_errors: true
+
+- name: "backup /opt/mrzcpd to destination path"
+  archive:
+    path: /opt/mrzcpd
+    dest: "{{ backup_dest_path }}/mrzcpd_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - mrzcpd_directory.rc != 0 
+    - backup.marsio == 1
+  ignore_errors: true

uninstall/roles/backup_sapp_config/tasks/main.yml

@@ -0,0 +1,82 @@
+- name: "create backup_dest_path"
+  file:
+    path: "{{ backup_dest_path }}"
+    state: directory
+  ignore_errors: true
+
+- name: "sapp_etc_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/sapp_etc_{{ uninstall_version }}_{{ date }}.zip"
+  register: sapp_etc
+  ignore_errors: true
+
+- name: "sapp_plug_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/sapp_plug_{{ uninstall_version }}_{{ date }}.zip"
+  register: sapp_plug
+  ignore_errors: true
+
+- name: "sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip"
+  register: sapp_tsgconf
+  ignore_errors: true
+
+- name: "sapp_appconf_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/sapp_appconf_{{ uninstall_version }}_{{ date }}.zip"
+  register: sapp_appconf
+  ignore_errors: true
+
+- name: "sapp_conf_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/sapp_conf_{{ uninstall_version }}_{{ date }}.zip"
+  register: sapp_conf
+  ignore_errors: true
+
+- name: "backup sapp_run/etc to destination path"
+  archive:
+    path: /home/mesasoft/sapp_run/etc
+    dest: "{{ backup_dest_path }}/sapp_etc_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - sapp_etc.rc != 0 
+    - backup.sapp_etc == 1
+  ignore_errors: true
+
+- name: "backup sapp_run/plug to destination path"
+  archive:
+    path: /home/mesasoft/sapp_run/plug
+    dest: "{{ backup_dest_path }}/sapp_plug_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - sapp_plug.rc != 0 
+    - backup.sapp_plug == 1
+  ignore_errors: true
+
+- name: "backup sapp_run/tsgconf/ to destination path"
+  archive:
+    path: /home/mesasoft/sapp_run/tsgconf
+    dest: "{{ backup_dest_path }}/sapp_tsgconf_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - sapp_tsgconf.rc != 0 
+    - backup.sapp_tsgconf == 1
+  ignore_errors: true
+
+- name: "backup sapp_run/appconf/ to destination path"
+  archive:
+    path: /home/mesasoft/sapp_run/appconf
+    dest: "{{ backup_dest_path }}/sapp_appconf_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - sapp_appconf.rc != 0 
+    - backup.sapp_appconf == 1
+  ignore_errors: true
+
+- name: "backup sapp_run/conf/ to destination path"
+  archive:
+    path: /home/mesasoft/sapp_run/conf
+    dest: "{{ backup_dest_path }}/sapp_conf_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - sapp_conf.rc != 0 
+    - backup.sapp_conf == 1
+  ignore_errors: true
+
+

uninstall/roles/backup_tfe_config/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: "create backup_dest_path"
+  file:
+    path: "{{ backup_dest_path }}"
+    state: directory
+  ignore_errors: true
+
+- name: "tfe_conf_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/tfe_conf_{{ uninstall_version }}_{{ date }}.zip"
+  register: tfeconf_directory
+  ignore_errors: true
+
+- name: "backup /opt/tsg/tfe/conf to destination path"
+  archive:
+    path: /opt/tsg/tfe/conf
+    dest: "{{ backup_dest_path }}/tfe_conf_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - tfeconf_directory.rc != 0 
+    - backup.tfe == 1
+  ignore_errors: true

uninstall/roles/backup_tsgenv_config/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: "create backup_dest_path"
+  file:
+    path: "{{ backup_dest_path }}"
+    state: directory
+  ignore_errors: true
+
+- name: "tsg_env_{{ uninstall_version }}_{{ date }}.zip exist?"
+  shell: "ls {{ backup_dest_path }}/tsg_env_{{ uninstall_version }}_{{ date }}.zip"
+  register: tsgenv_directory
+  ignore_errors: true
+
+- name: "backup /opt/tsg/env to destination path"
+  archive:
+    path: /opt/tsg/env
+    dest: "{{ backup_dest_path }}/tsg_env_{{ uninstall_version }}_{{ date }}.zip"
+    format: zip
+  when:
+    - tsgenv_directory.rc != 0 
+    - backup.tsg_env == 1
+  ignore_errors: true

uninstall/roles/cert_redis/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: "[uninstall cert_redis] stop cert-redis"
+  systemd:
+    name: cert-redis
+    state: stopped
+    enabled: no
+  when: uninstall.certredis == 1
+  ignore_errors: true

uninstall/roles/certstore/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: "[uninstall certstore] stop certstore"
+  systemd:
+    name: certstore
+    state: stopped
+    enabled: no
+  when:
+    - uninstall.certstore == 1
+  ignore_errors: true
+
+- name: "[uninstall certstore] uninstall certstore"
+  yum:
+    name:
+      - "{{ certstore }}"
+    state: absent
+  when: uninstall.certstore == 1
+

uninstall/roles/clotho/tasks/main.yml

@@ -0,0 +1,16 @@
+####################
+#Uninstall clotho
+- name: "[uninstall clotho] stop clotho"
+  systemd:
+    name: clotho
+    state: stopped
+    enabled: no
+  when: uninstall.clotho == 1
+  ignore_errors: true
+
+- name: "[uninstall clotho] uninstall clotho"
+  yum:
+    name:
+      - "{{ clotho }}"
+    state: absent
+  when: uninstall.clotho == 1

uninstall/roles/firewall/tasks/main.yml

@@ -0,0 +1,72 @@
+####################
+#Uninstall firewall
+- name: "[uninstall firewall] stop sapp"
+  systemd:
+    name: sapp
+    state: stopped
+    enabled: no
+  when:
+    - uninstall.firewall == 1
+  ignore_errors: true
+
+- name: "[uninstall firewall] create /home/mesasoft/sapp_runetc/"
+  file:
+    path: /home/mesasoft/sapp_runetc/
+    state: directory
+  when: uninstall.firewall == 1
+
+- name: "[uninstall firewall] create entrylist.conf"
+  file:
+    path: /home/mesasoft/sapp_runetc/entrylist.conf
+    state: touch
+  when: uninstall.firewall == 1
+
+- name: "[uninstall firewall] uninstall firewall"
+  yum:
+    name:
+      - "{{ capture_packet_plug }}"
+      - "{{ dns }}"
+      - "{{ ftp }}"
+      - "{{ http }}"
+      - "{{ quic }}"
+      - "{{ ssl }}"
+      - "{{ mail }}"
+      - "{{ fw_dns }}"
+      - "{{ fw_ftp }}"
+      - "{{ fw_http }}"
+      - "{{ fw_ssl }}"
+      - "{{ fw_mail }}"
+    state: absent
+  when: uninstall.firewall == 1
+
+- name: "[uninstall firewall] uninstall fw_quic"
+  yum:
+    name:
+      - "{{ fw_quic }}"
+    state: absent
+  when: uninstall.firewall == 1
+  ignore_errors: true
+
+- name: "[uninstall firewall] uninstall tsg_conn_record"
+  yum:
+    name:
+      - "{{ tsg_conn_record }}"
+    state: absent
+  when: uninstall.firewall == 1
+  ignore_errors: true
+
+- name: "[uninstall firewall] uninstall tsg_conn_sketch"
+  yum:
+    name:
+      - "{{ tsg_conn_sketch }}"
+    state: absent
+  when: uninstall.firewall == 1
+  ignore_errors: true
+
+
+- name: "[uninstall firewall] remove /home/mesasoft/sapp_runetc"
+  file:
+    path: /home/mesasoft/sapp_runetc
+    state: absent
+  when: uninstall.firewall == 1
+

uninstall/roles/framework/tasks/main.yml

@@ -0,0 +1,40 @@
+- name: "[uninstall framework] create project_list.conf"
+  file:
+    path: /home/mesasoft/sapp_run/etc/project_list.conf
+    state: touch
+  when: uninstall.framework == 1
+  ignore_errors: true
+
+- name: "[uninstall framework] create conflist.inf"
+  file:
+    path: /home/mesasoft/sapp_run/plug/conflist.inf
+    state: touch
+  when: uninstall.framework == 1
+  ignore_errors: true
+
+- name: "[uninstall framework] uninstall framework"
+  yum:
+    name:
+      - "{{ libcjson }}"
+      - "{{ libdocument }}"
+      - "{{ libmaatframe }}"
+      - "{{ libMESA_field_stat }}"
+      - "{{ libMESA_field_stat2 }}"
+      - "{{ libMESA_handle_logger }}"
+      - "{{ libMESA_htable }}"
+      - "{{ libMESA_prof_load }}"
+      - "{{ librdkafka }}"
+      - "{{ librulescan }}"
+      - "{{ libwiredcfg }}"
+      - "{{ libWiredLB }}"
+      - "{{ lz4 }}"
+    state: absent
+  when: uninstall.framework == 1
+
+- name: "[uninstall framework] uninstall framework"
+  yum:
+    name:
+      - "{{ libtsglua }}"
+    state: absent
+  when: uninstall.framework == 1
+  ignore_errors: true

uninstall/roles/http_healthcheck/tasks/main.yml

@@ -0,0 +1,9 @@
+####################
+#Uninstall http_healthcheck
+- name: "[uninstall http_healthcheck] uninstall http_healthcheck"
+  yum:
+    name:
+      - "{{ http_healthcheck }}"
+    state: absent
+  when: uninstall.http_healthcheck == 1
+