diff --git a/config/tfe/doh/doh.conf b/config/tfe/doh/doh.conf new file mode 100644 index 0000000..452ab41 --- /dev/null +++ b/config/tfe/doh/doh.conf @@ -0,0 +1,13 @@ +[doh] +enable=0 + +[maat] +table_appid=TSG_OBJ_APP_ID +table_addr=TSG_SECURITY_ADDR +table_qname=TSG_FIELD_DOH_QNAME +table_host=TSG_FIELD_DOH_HOST + +[kafka] +ENTRANCE_ID=0 +# if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1 +en_sendlog=1 diff --git a/config/tfe/pangu/pangu_pxy.conf b/config/tfe/pangu/pangu_pxy.conf new file mode 100644 index 0000000..7212c61 --- /dev/null +++ b/config/tfe/pangu/pangu_pxy.conf @@ -0,0 +1,92 @@ +[debug] +enable_plugin=1 + +[log] +entrance_id=0 +# default 1, if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1 +en_sendlog=0 +#Addresses of minio. Format is defined by WiredLB. +minio_ip_list=192.168.44.10; +minio_listen_port=9090 +#Maximum number of connections opened by per host. +#MAX_CONNECTION_PER_HOST=1 +#Maximum number of requests in a pipeline. +#MAX_CNNT_PIPELINE_NUM=20 +#Maximum parellel sessions(http and redis) is allowed to open. +#MAX_CURL_SESSION_NUM=100 +#Maximum time the request is allowed to take(seconds). +#MAX_CURL_TRANSFER_TIMEOUT_S=0 + +#Bucket name in minio. +cache_bucket_name=proxybucket +#Maximum size of memory used by tango_cache_client. Upload will fail if the current size of memory used exceeds this value. +max_used_memroy_size_mb=5120 +#Default TTL of objects, i.e. the time after which the object will expire(minumun 60s, i.e. 1 minute). +cache_default_ttl_second=3600 +#Whether to hash the object key before cache actions. GET/PUT may be faster if you open it. +cache_object_key_hash_switch=1 + +#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio; +cache_store_object_way=0 +#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis. +redis_cache_object_size=1024000 +#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object. +redis_cluster_addrs=192.168.10.62-63; + +#Configs of WiredLB for Minios load balancer. +wiredlb_override=1 +wiredlb_topic=MinioFileLog +wiredlb_datacenter=k18consul-tse +wiredlb_health_port=8560 +wiredlb_group=FileLog + +log_fsstat_appname=tango_log_file +log_fsstat_filepath=./tango_log_file.fs +log_fsstat_interval=10 +log_fsstat_trig=1 +log_fsstat_dst_ip=10.4.20.202 +log_fsstat_dst_port=8125 + +[ratelimit] +enable=0 +token_name=ratelimit +redis_server=192.168.44.72 +redis_port=7002 +redis_db_index=6 + +[tango_cache] +enable_cache=0 +min_cache_obj_size=512 +#minio ip, as wiredlb required +minio_ip_list=192.168.10.61-64; +minio_listen_port=9000 + +#max_connection_per_host=1 +max_cnnt_pipeline_num=20 +#max_curl_session_num=100 + +cache_bucket_name=proxybucket +max_used_memory_size_mb=10240 +cache_default_ttl_second=3600 +cache_object_key_hash_switch=1 + +#1-minio,2-redis +#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio; +cache_store_object_way=0 +#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis. +redis_cache_object_size=102400 +#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object. +redis_cluster_addrs=192.168.10.62-63; + +#wired load balancer configuration +wiredlb_override=1 +wiredlb_topic=MinioCache +wiredlb_datacenter=k18consul-tse +wiredlb_health_port=52101 +wiredlb_group=TangoCache + +cache_undefined_obj=1 +query_undefined_obj=0 +statsd_server=192.168.10.72 +statsd_port=8126 +histogram_bins=0.20,0.40,0.6,0.8 diff --git a/config/tfe/tfe/future.conf b/config/tfe/tfe/future.conf new file mode 100644 index 0000000..f1ef8b0 --- /dev/null +++ b/config/tfe/tfe/future.conf @@ -0,0 +1,10 @@ +[STAT] +no_stats=0 +statsd_server=127.0.0.1 +statsd_port=8100 +histogram_bins=0.50,0.80,0.9,0.95 +statsd_cycle=5 +# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2 +statsd_format=2 +# printf diff Not available +# print_diff=1 diff --git a/config/tfe/tfe/tfe.conf b/config/tfe/tfe/tfe.conf new file mode 100644 index 0000000..977e5d6 --- /dev/null +++ b/config/tfe/tfe/tfe.conf @@ -0,0 +1,178 @@ +[system] +nr_worker_threads=8 +enable_kni_v1=0 +enable_kni_v2=0 +enable_kni_v3=1 + +# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally +disable_coredump=0 +enable_breakpad=1 +enable_breakpad_upload=1 +breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025 +# must be /run/tfe/crashreport,due to tmpfile limit +breakpad_minidump_dir=/run/tfe/crashreport + +# ask for at least (1 + nr_worker_threads) masks +# the first mask for acceptor thread +# the others mask for worker thread +enable_cpu_affinity=1 +cpu_affinity_mask=1-9 +# LEAST_CONN = 0; ROUND_ROBIN = 1 +load_balance=1 + +[kni] +# kni v1 +#uxdomain=/var/run/.tfe_kni_acceptor_handler +# kni v2 +#scm_socket_file=/var/run/.tfe_kmod_scm_socket + +# send cmsg +send_switch=0 +ip=192.168.100.1 +cmsg_port=2475 + +# watch dog +watchdog_switch=0 +watchdog_port=2476 + +[ssl] +ssl_ja3_debug=0 +ssl_ja3_table=PXY_SSL_FINGERPRINT +# ssl version Not available, configured via TSG website +# ssl_max_version=tls13 +# ssl_min_version=ssl3 +ssl_compression=1 +no_ssl2=1 +no_ssl3=0 +no_tls10=0 +no_tls11=0 +no_tls12=0 +default_ciphers=ALL:-aNULL +no_cert_verify=0 + +# session ticket +no_session_ticket=0 +stek_group_num=4096 +stek_rotation_time=3600 + +# session cache +no_session_cache=0 +session_cache_slots=4194304 +session_cache_expire_seconds=1800 + +# service cache +service_cache_slots=4194304 +service_cache_expire_seconds=300 +service_cache_fail_as_pinning_cnt=4 +service_cache_fail_as_proto_err_cnt=5 +service_cache_fail_time_window=30 + +# cert +check_cert_crl=0 +trusted_cert_load_local=0 +#trusted_cert_file=resource/tfe/tls-ca-bundle.pem +trusted_cert_file=resource/tfe/tsg_diagonse_ca.pem +trusted_cert_dir=resource/tfe/trusted_storage + +# master key +log_master_key=0 +key_log_file=log/sslkeylog.log + +# mid cert cache +mc_cache_enable=0 +mc_cache_eth=eth0 +mc_cache_broker_list=192.168.44.11:9092,192.168.44.14:9092,192.168.44.15:9092 +mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT + +[key_keeper] +#Mode: debug - generate cert with ca_path, normal - generate cert with cert store +#0 on cache 1 off cache +no_cache=0 +mode=normal +cert_store_host=192.168.40.21 +cert_store_port=9991 +ca_path=resource/tfe/tango-ca-trust-ca.pem +untrusted_ca_path=resource/tfe/tango-ca-untrust-ca.pem +hash_slot_size=131072 +hash_expire_seconds=300 +cert_expire_time=24 + +# health_check only for "mode=normal" default 1 +enable_health_check=1 + +[debug] +# 1 : enforce tcp passthrough +# 0 : Whether to passthrough depends on the tcp_options in cmsg +passthrough_all_tcp=0 + +[ratelimit] +read_rate=0 +read_burst=0 +write_rate=0 +write_burst=0 + +[tcp] +# read rcv_buff/snd_buff options from tfe conf +sz_rcv_buffer=-1 +sz_snd_buffer=-1 + +# 1 : use tcp_options in tfe.conf +# 0 : use tcp_options in cmsg +enable_overwrite=0 +tcp_nodelay=1 +so_keepalive=1 +tcp_keepcnt=8 +tcp_keepintvl=15 +tcp_keepidle=30 +tcp_user_timeout=600 +tcp_ttl_upstream=75 +tcp_ttl_downstream=70 + +[stat] +statsd_server=127.0.0.1 +statsd_port=8100 +statsd_cycle=5 +# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE +statsd_format=2 +histogram_bins=0.5,0.8,0.9,0.95 +statsd_set_prometheus_port=9001 +statsd_set_prometheus_url_path=/metrics + +[traffic_mirror] +enable=0 +device=ens8f2 +# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO +type=1 +table_info=resource/pangu/table_info_traffic_mirror.conf +stat_file=log/traffic_mirror.status + +[kafka] +enable=0 +NIC_NAME=eth0 +kafka_brokerlist=192.168.44.11:9092,192.168.44.14:9092,192.168.44.15:9092 +kafka_topic=PROXY-EVENT-LOG +device_id_filepath=/opt/tsg/etc/tsg_sn.json + +[maat] +# 0:json 1:redis 2:iris +maat_input_mode=1 +stat_switch=1 +perf_switch=1 +table_info=resource/pangu/table_info.conf +accept_path=/opt/tsg/etc/tsg_device_tag.json +accept_tag_key=device_id +stat_file=log/pangu_scan.fs2 +effect_interval_s=1 +deferred_load_on=0 + +# json mode conf iterm +json_cfg_file=resource/pangu/pangu_http.json + +# redis mode conf iterm +maat_redis_server=192.168.44.72 +maat_redis_port_range=7002 +maat_redis_db_index=0 + +# iris mode conf iterm +full_cfg_dir=pangu_policy/full/index/ +inc_cfg_dir=pangu_policy/inc/index/ diff --git a/config/tfe/tfe/zlog.conf b/config/tfe/tfe/zlog.conf new file mode 100644 index 0000000..70e3f72 --- /dev/null +++ b/config/tfe/tfe/zlog.conf @@ -0,0 +1,20 @@ +# kill -s SIGHUP "pid" + +[global] + +default format = "%d(%c), %V, %F, %U, %m%n" + +[levels] + +DEBUG=10 +INFO=20 +FATAL=30 + +[rules] + +*.fatal "./log/error.log.%d(%F)"; +tfe.DEBUG "./log/tfe.log.%d(%F)"; +http.DEBUG "./log/http.log.%d(%F)"; +http2.DEBUG "./log/http2.log.%d(%F)"; +doh.DEBUG "./log/doh_pxy.log.%d(%F)"; +pangu.DEBUG "./log/pangu_pxy.log.%d(%F)"; \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 00d5c7b..da3e06f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,3 +18,23 @@ services: - ./config/sapp_run/tsgconf/maat.conf:/home/mesasoft/sapp_run/tsgconf/maat.conf - ./config/sapp_run/conf/capture_packet_plug.conf:/home/mesasoft/sapp_run/conf/capture_packet_plug.conf - /etc/localtime:/etc/localtime:ro + tfe: + build: + context: ./dockerfile/tfe + dockerfile: Dockerfile + image: "tfe-v4.4" + container_name: "tfe-container-v4.4" + security_opt: + - seccomp:unconfined + cap_add: + - NET_ADMIN + - SYS_PTRACE + devices: + - "/dev/net/tun:/dev/net/tun" + volumes: + - ./config/tfe/doh/doh.conf:/opt/tsg/tfe/conf/doh/doh.conf + - ./config/tfe/pangu/pangu_pxy.conf:/opt/tsg/tfe/conf/pangu/pangu_pxy.conf + - ./config/tfe/tfe/future.conf:/opt/tsg/tfe/conf/tfe/future.conf + - ./config/tfe/tfe/tfe.conf:/opt/tsg/tfe/conf/tfe/tfe.conf + - ./config/tfe/tfe/zlog.conf:/opt/tsg/tfe/conf/tfe/zlog.conf + - /etc/localtime:/etc/localtime:ro diff --git a/dockerfile/tfe/Dockerfile b/dockerfile/tfe/Dockerfile index 3bba4df..0d2ac47 100644 --- a/dockerfile/tfe/Dockerfile +++ b/dockerfile/tfe/Dockerfile @@ -1,39 +1,52 @@ -FROM centos:7 +FROM docker.io/centos:7 -COPY MESA-Framework.repo /etc/yum.repos.d/ +COPY MESA-Framework.repo /etc/yum.repos.d/ +COPY framework.conf /etc/ld.so.conf.d/ -RUN yum makecache && yum install -y \ +RUN yum makecache && yum install -y \ + mrzcpd \ + numactl \ + zlib \ + librdkafka \ + systemd \ libcjson \ - libdocumentanalyze \ libmaatframe \ - libMESA_field_stat \ libMESA_field_stat2 \ libMESA_handle_logger \ - libMESA_htable\ + libMESA_htable \ libMESA_prof_load \ - librdkafka \ librulescan \ - libtsglua \ libwiredcfg \ libWiredLB \ - lz4 \ + sapp \ libbreakpad_mini \ - mrzcpd \ - tfe + libmnl \ + libnfnetlink \ + iptables \ + iproute \ + && ldconfig RUN yum install -y \ epel-release \ - python3 \ gdb \ - numactl \ + strace \ + htop \ tcpdump \ net-tools \ + curl \ vim \ - && pip3 install supervisor \ + python3 \ + && pip3 install supervisor \ && yum clean all -CMD tail -f /dev/null - +COPY tfe-env.sh /opt/tsg/tfe/ +COPY tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm /root/ +RUN rpm -ivh /root/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm && chmod o+x /opt/tsg/tfe/tfe-env.sh +COPY supervisord.conf /etc/supervisord/ -#ENTRYPOINT ["cat","/root/test.txt"] +WORKDIR /opt/tsg/tfe/ +ENTRYPOINT ["/usr/local/bin/supervisord", "-n", "-c", "/etc/supervisord/supervisord.conf"] + +# docker run -it --cap-add=NET_ADMIN --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --device /dev/net/tun:/dev/net/tun tfe:v1 /bin/bash +# supervisorctl -c /etc/supervisord/supervisord.conf status \ No newline at end of file diff --git a/dockerfile/tfe/framework.conf b/dockerfile/tfe/framework.conf new file mode 100644 index 0000000..a7a8844 --- /dev/null +++ b/dockerfile/tfe/framework.conf @@ -0,0 +1 @@ +/opt/MESA/lib/ \ No newline at end of file diff --git a/dockerfile/tfe/supervisord.conf b/dockerfile/tfe/supervisord.conf new file mode 100644 index 0000000..3cd3cc9 --- /dev/null +++ b/dockerfile/tfe/supervisord.conf @@ -0,0 +1,188 @@ +; Sample supervisor config file. +; +; For more information on the config file, please see: +; http://supervisord.org/configuration.html +; +; Notes: +; - Shell expansion ("~" or "$HOME") is not supported. Environment +; variables can be expanded using this syntax: "%(ENV_HOME)s". +; - Quotes around values are not supported, except in the case of +; the environment= options as shown below. +; - Comments must have a leading space: "a=b ;comment" not "a=b;comment". +; - Command will be truncated if it looks like a config file comment, e.g. +; "command=bash -c 'foo ; bar'" will truncate to "command=bash -c 'foo ". +; +; Warning: +; Paths throughout this example file use /tmp because it is available on most +; systems. You will likely need to change these to locations more appropriate +; for your system. Some systems periodically delete older files in /tmp. +; Notably, if the socket file defined in the [unix_http_server] section below +; is deleted, supervisorctl will be unable to connect to supervisord. + +[unix_http_server] +file=/var/run/supervisor.sock ; the path to the socket file +;chmod=0700 ; socket file mode (default 0700) +;chown=nobody:nogroup ; socket file uid:gid owner +;username=user ; default is no username (open server) +;password=123 ; default is no password (open server) + +; Security Warning: +; The inet HTTP server is not enabled by default. The inet HTTP server is +; enabled by uncommenting the [inet_http_server] section below. The inet +; HTTP server is intended for use within a trusted environment only. It +; should only be bound to localhost or only accessible from within an +; isolated, trusted network. The inet HTTP server does not support any +; form of encryption. The inet HTTP server does not use authentication +; by default (see the username= and password= options to add authentication). +; Never expose the inet HTTP server to the public internet. + +;[inet_http_server] ; inet (TCP) server disabled by default +;port=127.0.0.1:9001 ; ip_address:port specifier, *:port for all iface +;username=user ; default is no username (open server) +;password=123 ; default is no password (open server) + +[supervisord] +logfile=/tmp/supervisord.log ; main log file; default $CWD/supervisord.log +logfile_maxbytes=50MB ; max main logfile bytes b4 rotation; default 50MB +logfile_backups=10 ; # of main logfile backups; 0 means none, default 10 +loglevel=info ; log level; default info; others: debug,warn,trace +pidfile=/var/run/supervisord.pid ; supervisord pidfile; default supervisord.pid +nodaemon=false ; start in foreground if true; default false +silent=false ; no logs to stdout if true; default false +minfds=1024 ; min. avail startup file descriptors; default 1024 +minprocs=200 ; min. avail process descriptors;default 200 +;umask=022 ; process file creation umask; default 022 +;user=supervisord ; setuid to this UNIX account at startup; recommended if root +;identifier=supervisor ; supervisord identifier, default is 'supervisor' +;directory=/tmp ; default is not to cd during start +;nocleanup=true ; don't clean up tempfiles at start; default false +;childlogdir=/tmp ; 'AUTO' child log dir, default $TEMP +;environment=KEY="value" ; key value pairs to add to environment +;strip_ansi=false ; strip ansi escape codes in logs; def. false + +; The rpcinterface:supervisor section must remain in the config file for +; RPC (supervisorctl/web interface) to work. Additional interfaces may be +; added by defining them in separate [rpcinterface:x] sections. + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + +; The supervisorctl section configures how supervisorctl will connect to +; supervisord. configure it match the settings in either the unix_http_server +; or inet_http_server section. + +[supervisorctl] +serverurl=unix:///var/run/supervisor.sock ; use a unix:// URL for a unix socket +;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket +;username=chris ; should be same as in [*_http_server] if set +;password=123 ; should be same as in [*_http_server] if set +;prompt=mysupervisor ; cmd line prompt (default "supervisor") +;history_file=~/.sc_history ; use readline history if available + +; The sample program section below shows all possible program subsection values. +; Create one or more 'real' program: sections to be able to control them under +; supervisor. + +;[program:theprogramname] +;command=/bin/cat ; the program (relative uses PATH, can take args) +;process_name=%(program_name)s ; process_name expr (default %(program_name)s) +;numprocs=1 ; number of processes copies to start (def 1) +;directory=/tmp ; directory to cwd to before exec (def no cwd) +;umask=022 ; umask for process (default None) +;priority=999 ; the relative start priority (default 999) +;autostart=true ; start at supervisord start (default: true) +;startsecs=1 ; # of secs prog must stay up to be running (def. 1) +;startretries=3 ; max # of serial start failures when starting (default 3) +;autorestart=unexpected ; when to restart if exited after running (def: unexpected) +;exitcodes=0 ; 'expected' exit codes used with autorestart (default 0) +;stopsignal=QUIT ; signal used to kill process (default TERM) +;stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) +;stopasgroup=false ; send stop signal to the UNIX process group (default false) +;killasgroup=false ; SIGKILL the UNIX process group (def false) +;user=chrism ; setuid to this UNIX account to run the program +;redirect_stderr=true ; redirect proc stderr to stdout (default false) +;stdout_logfile=/a/path ; stdout log path, NONE for none; default AUTO +;stdout_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) +;stdout_logfile_backups=10 ; # of stdout logfile backups (0 means none, default 10) +;stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) +;stdout_events_enabled=false ; emit events on stdout writes (default false) +;stdout_syslog=false ; send stdout to syslog with process name (default false) +;stderr_logfile=/a/path ; stderr log path, NONE for none; default AUTO +;stderr_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) +;stderr_logfile_backups=10 ; # of stderr logfile backups (0 means none, default 10) +;stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) +;stderr_events_enabled=false ; emit events on stderr writes (default false) +;stderr_syslog=false ; send stderr to syslog with process name (default false) +;environment=A="1",B="2" ; process environment additions (def no adds) +;serverurl=AUTO ; override serverurl computation (childutils) + +; The sample eventlistener section below shows all possible eventlistener +; subsection values. Create one or more 'real' eventlistener: sections to be +; able to handle event notifications sent by supervisord. + +;[eventlistener:theeventlistenername] +;command=/bin/eventlistener ; the program (relative uses PATH, can take args) +;process_name=%(program_name)s ; process_name expr (default %(program_name)s) +;numprocs=1 ; number of processes copies to start (def 1) +;events=EVENT ; event notif. types to subscribe to (req'd) +;buffer_size=10 ; event buffer queue size (default 10) +;directory=/tmp ; directory to cwd to before exec (def no cwd) +;umask=022 ; umask for process (default None) +;priority=-1 ; the relative start priority (default -1) +;autostart=true ; start at supervisord start (default: true) +;startsecs=1 ; # of secs prog must stay up to be running (def. 1) +;startretries=3 ; max # of serial start failures when starting (default 3) +;autorestart=unexpected ; autorestart if exited after running (def: unexpected) +;exitcodes=0 ; 'expected' exit codes used with autorestart (default 0) +;stopsignal=QUIT ; signal used to kill process (default TERM) +;stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) +;stopasgroup=false ; send stop signal to the UNIX process group (default false) +;killasgroup=false ; SIGKILL the UNIX process group (def false) +;user=chrism ; setuid to this UNIX account to run the program +;redirect_stderr=false ; redirect_stderr=true is not allowed for eventlisteners +;stdout_logfile=/a/path ; stdout log path, NONE for none; default AUTO +;stdout_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) +;stdout_logfile_backups=10 ; # of stdout logfile backups (0 means none, default 10) +;stdout_events_enabled=false ; emit events on stdout writes (default false) +;stdout_syslog=false ; send stdout to syslog with process name (default false) +;stderr_logfile=/a/path ; stderr log path, NONE for none; default AUTO +;stderr_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) +;stderr_logfile_backups=10 ; # of stderr logfile backups (0 means none, default 10) +;stderr_events_enabled=false ; emit events on stderr writes (default false) +;stderr_syslog=false ; send stderr to syslog with process name (default false) +;environment=A="1",B="2" ; process environment additions +;serverurl=AUTO ; override serverurl computation (childutils) + +; The sample group section below shows all possible group values. Create one +; or more 'real' group: sections to create "heterogeneous" process groups. + +;[group:thegroupname] +;programs=progname1,progname2 ; each refers to 'x' in [program:x] definitions +;priority=999 ; the relative start priority (default 999) + +; The [include] section can just contain the "files" setting. This +; setting can list multiple files (separated by whitespace or +; newlines). It can also contain wildcards. The filenames are +; interpreted as relative to this file. Included files *cannot* +; include files themselves. + +;[include] +;files = relative/directory/*.ini + +[program:tfe-env] +user=root +Command=bash -c "/opt/tsg/tfe/tfe-env.sh start" +directory=/opt/tsg/tfe/ + +startsecs=0 +startretries=0 +autorestart=false + +[program:tfe] +user=root +Command="/opt/tsg/tfe/bin/tfe" +directory=/opt/tsg/tfe/ + +autostart=true +startsecs=1 +startretries=3 \ No newline at end of file diff --git a/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm b/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm new file mode 100644 index 0000000..4885842 Binary files /dev/null and b/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm differ diff --git a/dockerfile/tfe/tfe-env.sh b/dockerfile/tfe/tfe-env.sh new file mode 100644 index 0000000..b6e4dcf --- /dev/null +++ b/dockerfile/tfe/tfe-env.sh @@ -0,0 +1,108 @@ +#!/bin/bash + +INCOMING_DEVICE=tun_kni + +LOCAL_MAC_ADDR=fe:65:b7:00:00:01 +PEER_MAC_ADDR=aa:bb:cc:dd:ee:ff + +LOCAL_IP_ADDR=172.16.241.2 +PEER_IP_ADDR=172.16.241.1 + +start_fun() +{ + # 创建虚拟网卡 + /usr/sbin/ip tuntap add dev ${INCOMING_DEVICE} mode tun one_queue + + # 设置网卡的 MAC + /usr/sbin/ip link set ${INCOMING_DEVICE} address ${LOCAL_MAC_ADDR} + # 设置网卡的状态 + /usr/sbin/ip link set ${INCOMING_DEVICE} up + /usr/sbin/ip addr flush dev ${INCOMING_DEVICE} + + # 设置网卡的 IPv4 地址 + /usr/sbin/ip addr add ${LOCAL_IP_ADDR}/30 dev ${INCOMING_DEVICE} + + # 刷新网卡的 ARP + # /usr/sbin/ip neigh flush dev ${INCOMING_DEVICE} + # 将 PEER 的 IP / MAC 加入到本地设备的 ARP 表中 + #/usr/sbin/ip neigh add ${PEER_IP_ADDR} lladdr ${PEER_MAC_ADDR} dev ${INCOMING_DEVICE} nud permanent + + ########################################################################### + # policy route v4 + ########################################################################### + + # 流入的流量走 100 号路由表 + /usr/sbin/ip rule add iif ${INCOMING_DEVICE} tab 100 + /usr/sbin/ip route add local default dev lo table 100 + + # 流出的带 0x65 的流量走 101 号路由表 + /usr/sbin/ip rule add fwmark 0x65 lookup 101 + /usr/sbin/ip route add default dev ${INCOMING_DEVICE} via ${PEER_IP_ADDR} table 101 + + ########################################################################### + # policy route v6 + ########################################################################### + + # 设置网卡的 IPv6 地址 + /usr/sbin/ip addr add fd00::02/64 dev ${INCOMING_DEVICE} + + /usr/sbin/ip -6 route add default via fd00::01 + + # 流入的流量走 102 号路由表 + /usr/sbin/ip -6 rule add iif ${INCOMING_DEVICE} tab 102 + /usr/sbin/ip -6 route add local default dev lo table 102 + + # 将 PEER 的 IP / MAC 加入到本地设备的 ARP 表中 + #/usr/sbin/ip -6 neigh add fd00::01 lladdr ${PEER_MAC_ADDR} dev ${INCOMING_DEVICE} nud permanent + + ########################################################################### + # iptables netfilter + ########################################################################### + iptables -A INPUT -i ${INCOMING_DEVICE} -m bpf --bytecode '14,48 0 0 0,84 0 0 240,21 0 10 64,48 0 0 9,21 0 8 6,40 0 0 6,69 6 0 8191,177 0 0 0,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 +} + +stop_fun() +{ + iptables -F + + /usr/sbin/ip rule del iif ${INCOMING_DEVICE} tab 100 + /usr/sbin/ip route del local default dev lo table 100 + + /usr/sbin/ip rule del fwmark 0x65 lookup 101 + /usr/sbin/ip route del default dev ${INCOMING_DEVICE} via ${PEER_IP_ADDR} table 101 + + /usr/sbin/ip -6 rule del iif ${INCOMING_DEVICE} tab 102 + /usr/sbin/ip -6 route del default via fd00::01 + /usr/sbin/ip -6 route del local default dev lo table 102 + + /usr/sbin/ip addr del fd00::02/64 dev ${INCOMING_DEVICE} + + /usr/sbin/ip link set ${INCOMING_DEVICE} down + + # 删除虚拟网卡 + /usr/sbin/ip tuntap del dev ${INCOMING_DEVICE} mode tap +} + +status_fun() +{ + iptables -L +} + +case "$1" in + start) + start_fun + ;; + stop) + stop_fun + ;; + restart) + stop_fun + start_fun + ;; + status) + status_fun + ;; + *) + echo "Usage: $0 {start|stop|status|restart}" +esac +exit 0