添加ansible工程

mkimage-yum.sh

@@ -56,8 +56,9 @@ package_to_install="@base @core @debugging @directory-client @guest-agents
 
 setopt="group_package_types=mandatory,default,optional"
 
+enabled_repos="base,extras,updates"
+
 yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt install $package_to_install
-yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt clean all
 
 cat > "$target"/etc/sysconfig/network <<EOF
 NETWORKING=yes
@@ -98,7 +99,8 @@ fi
 
 #tar --numeric-owner -c -C "$target" . | docker import - $name:$version
 #docker run -i -t $name:$version echo success
-
+ansible-playbook -i /root/tsg-9140-scripts/install_config/tsg_9140_host /root/tsg-9140-scripts/tsg_9140_deploy.yml
+yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt clean all
 tar --numeric-owner -c -C centos_mkroot/ . | bzip2 > input/centos-7-chroot.tar.bz2
 
 #rm -rf "$target"

tsg-9140-scripts/install_config/group_vars/tsg_9140_docker.yml

@@ -0,0 +1,51 @@
+TSG_9140_data_incoming:
+  x710_3300: enp1s0
+  vf0_name: enp1s2
+  x710_3200: enp130s0
+  vf1_name: enp130s2
+
+TSG_9140_VXLAN:
+  keepalive_ip: "10.254.19.1"
+  keepalive_mask: "255.255.255.252"
+
+TSG_9140_mrzcpd:
+  iocore: 52,53,54,55
+
+mrtunnat:
+  lcore_id: 38
+
+sapp:
+  worker_threads: 22
+  send_only_threads_max: 1
+  bind_mask: 15,16,17,18,19,20,21,22,23,24,25,26,27,42,43,44,45,46,47,48,49,50,51
+  inbound_route_dir: 1
+
+sapp_prometheus_enable: 1
+sapp_prometheus_port: 9273
+sapp_prometheus_url_path: "/metrics"
+breakpad_upload_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6
+
+inline_device_config:
+  keepalive_ip: 10.254.19.1
+  keepalive_mask: 255.255.255.252
+  data_incoming: enp131s0f3
+
+nic_mgr:
+  name: enp131s0f3
+
+kni_log_level: 10
+
+#Kni Config
+kni:
+  global:
+    tfe_node_count: 1
+  watch_dog:
+    switch: 1
+  maat:
+    readconf_mode: 2
+  send_logger:
+    switch: 1
+  tfe_nodes:
+    tfe0_enabled: 1
+    tfe1_enabled: 0
+    tfe2_enabled: 0

tsg-9140-scripts/install_config/tsg_9140_host

@@ -0,0 +1,6 @@
+[tsg_9140]
+centos7 ansible_connection=docker
+[tsg_9140_init]
+192.168.40.85
+[tsg_9140_chroot]
+/root/geedge-work/tsg-os-installer/centos_mkroot/  ansible_connection=chroot

tsg-9140-scripts/roles/cert-redis/files/cert-redis.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Redis persistent key-value database
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/redis-server /etc/cert-redis.conf --supervised systemd
+ExecStop=/usr/libexec/redis-shutdown cert-redis
+Type=notify
+
+[Install]
+WantedBy=multi-user.target
+

tsg-9140-scripts/roles/cert-redis/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: "copy cert-redis file to dest"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: "cert-redis.conf" , dest: "/etc" , mode: "0644" } 
+    - { src: "cert-redis.service" , dest: "/usr/lib/systemd/system" , mode: "0644" }
+
+#- name: "start cert-redis"
+#  systemd:
+#
+#    name: cert-redis.service
+#    state: started
+#    daemon_reload: yes
+#    enabled: yes

tsg-9140-scripts/roles/certstore/files/memory.conf

@@ -0,0 +1,3 @@
+[Service]
+MemoryLimit=16G
+ExecStartPost=/bin/bash -c "echo 16G > /sys/fs/cgroup/memory/system.slice/certstore.service/memory.memsw.limit_in_bytes"

tsg-9140-scripts/roles/certstore/tasks/main.yml

@@ -0,0 +1,37 @@
+- name: "copy certstore rpm to destination"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: Ensures /opt/tsg exists
+  file: path=/opt/tsg state=directory
+  tags: mkdir
+
+- name: install certstore
+  yum:
+    name:
+      - /tmp/ansible_deploy/certstore-2.1.6.20201215.f2e9ba7-1.el7.x86_64.rpm
+    state: present
+
+- name: template certstore configure file
+  template:
+    src: "{{ role_path }}/templates/cert_store.ini.j2"
+    dest: /opt/tsg/certstore/conf/cert_store.ini
+
+- name: template certstore zlog file
+  template:
+    src: "{{ role_path }}/templates/zlog.conf.j2"
+    dest: /opt/tsg/certstore/conf/zlog.conf
+
+- name: "copy memory limit file to certstore.service.d"
+  copy:
+    src: "{{ role_path }}/files/memory.conf"
+    dest: /etc/systemd/system/certstore.service.d/
+    mode: 0644
+
+#- name: "start certstore"
+#  systemd:
+#    name: certstore.service
+#    state: started
+#    enabled: yes
+#    daemon_reload: yes

tsg-9140-scripts/roles/certstore/templates/cert_store.ini.j2

@@ -0,0 +1,60 @@
+[SYSTEM]
+#1:print on screen, 0:don't
+DEBUG_SWITCH = 1
+RUN_LOG_PATH = "conf/zlog.conf"
+
+[breakpad]
+disable_coredump=0
+enable_breakpad=1
+breakpad_minidump_dir=/tmp/certstore/crashreport
+enable_breakpad_upload=1
+breakpad_upload_url= http://127.0.0.1:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6
+
+[CONFIG]
+#Number of running threads
+thread-nu = 4
+#1 rsync, 0 sync
+mode=1
+#Local default root certificate is valid for 30 days by default
+expire_after = 30
+#Local default root certificate path
+local_debug = 1
+ca_path = ./cert/tango-ca-v3-trust-ca.pem
+untrusted_ca_path = ./cert/tango-ca-v3-untrust-ca.pem
+
+[MAAT]
+#Configure the load mode,
+#0: using the configuration distribution network
+#1: using local json
+#2: using Redis reads
+maat_json_switch=2
+#When the loading mode is sent to the network, set the scanning configuration modification interval (s).
+effective_interval=1
+#Specify the location of the configuration library table file
+table_info=./conf/table_info.conf
+#Incremental profile path
+inc_cfg_dir=./rule/inc/index
+#Full profile path
+full_cfg_dir=./rule/full/index
+#Json file path when json schema is used
+pxy_obj_keyring=./conf/pxy_obj_keyring.json
+
+[LIBEVENT]
+#Local monitor port number, default is 9991
+port = 9991
+
+[CERTSTORE_REDIS]
+#The Redis server IP address and port number where the certificate is stored locally
+ip = 127.0.0.1
+port = 6379
+
+[MAAT_REDIS]
+#Maat monitors the Redsi server IP address and port number
+ip = 192.168.44.72
+port = 7002
+dbindex =  0
+[stat]
+statsd_server=127.0.0.1
+statsd_port=8100
+statsd_set_prometheus_port=9002
+statsd_set_prometheus_url_path=/metrics

tsg-9140-scripts/roles/certstore/templates/zlog.conf.j2

@@ -0,0 +1,9 @@
+[global]
+default format = "%d(%c), %V, %F, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[rules]
+*.fatal        "./logs/error.log.%d(%F)";
+*.30        "./logs/certstore.log.%d(%F)"

tsg-9140-scripts/roles/exporter/tasks/main.yml

@@ -0,0 +1,72 @@
+- name: "copy freeipmi tools"
+  copy:
+    src: '{{ role_path }}/files/freeipmi-1.5.7-3.el7.x86_64.rpm'
+    dest: /tmp/ansible_deploy/
+
+- name: "Install freeipmi rpm package"
+  yum:
+    name:
+      - "/tmp/ansible_deploy/freeipmi-1.5.7-3.el7.x86_64.rpm"
+    state: present
+
+- name: "mkdir /opt/exporter/"
+  file:
+    path: /opt/exporter/
+    state: directory
+
+- name: "copy node_exporter"
+  copy:
+    src: '{{ role_path }}/files/node_exporter'
+    dest: /opt/exporter/node_exporter
+    mode: 0755
+
+- name: "copy systemd_exporter"
+  copy:
+    src: '{{ role_path }}/files/systemd_exporter'
+    dest: /opt/exporter/systemd_exporter
+    mode: 0755
+
+- name: "copy ipmi_exporter"
+  copy:
+    src: '{{ role_path }}/files/ipmi_exporter'
+    dest: /opt/exporter/ipmi_exporter
+    mode: 0755
+
+- name: "templates atca-exporter-node.service"
+  template:
+    src: "{{role_path}}/templates/exporter-node.service.j2"
+    dest: /usr/lib/systemd/system/exporter-node.service
+  tags: template
+
+- name: "templates atca-exporter-systemd.service"
+  template:
+    src: "{{role_path}}/templates/exporter-systemd.service.j2"
+    dest: /usr/lib/systemd/system/exporter-systemd.service
+  tags: template
+
+- name: "templates atca-exporter-ipmi.service"
+  template:
+    src: "{{role_path}}/templates/exporter-ipmi.service.j2"
+    dest: /usr/lib/systemd/system/exporter-ipmi.service
+  tags: template
+
+#- name: 'atca-exporter-node service start'
+#  systemd:
+#    name: atca-exporter-node
+#    enabled: yes
+#    daemon_reload: yes
+#    state: started
+#
+#- name: 'atca-exporter-systemd service start'
+#  systemd:
+#    name: atca-exporter-systemd
+#    enabled: yes
+#    daemon_reload: yes
+#    state: restarted
+#
+#- name: 'atca-exporter-ipmi service start'
+#  systemd:
+#    name: atca-exporter-ipmi
+#    enabled: yes
+#    daemon_reload: yes
+#    state: restarted

tsg-9140-scripts/roles/exporter/templates/exporter-ipmi.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=IPMI Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/exporter/ipmi_exporter
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

tsg-9140-scripts/roles/exporter/templates/exporter-node.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Node Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/exporter/node_exporter
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

tsg-9140-scripts/roles/exporter/templates/exporter-systemd.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Systemd Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/exporter/systemd_exporter --web.disable-exporter-metrics
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

tsg-9140-scripts/roles/firewall/tasks/main.yml

@@ -0,0 +1,63 @@
+---
+- name: "copy firewall rpms to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install firewall packages"
+  yum:
+    name: "{{ fw_packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    fw_packages:
+      - /tmp/ansible_deploy/capture_packet_plug-3.0.6.a2db4a4-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/dns-2.0.11.2265b5c-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_http_plug-3.1.5.69f6482-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_mail_plug-3.0.2.7401550-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_quic_plug-3.0.4.947ef77-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ssl_plug-3.0.6.a121701-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.1.4.f333054-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/rtp-1.0.4.91b4ab7-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/mesa_sip-1.0.9.ede6893-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_voip_plug-1.0.2.090e5da-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_proto_identify-1.0.9.a6581a6-2.el7.x86_64.rpm
+
+- name: "Template the tsgconf/main.conf"
+  template:
+    src: "{{ role_path }}/templates/main.conf.j2"
+    dest: /home/mesasoft/sapp_run/tsgconf/main.conf
+  tags: template
+
+
+- name: "Template the tsgconf/maat.conf"
+  template:
+    src: "{{ role_path }}/templates/maat.conf.j2"
+    dest: /home/mesasoft/sapp_run/tsgconf/maat.conf
+  tags: template
+
+- name: "Template the conf/capture_packet_plug.conf.j2"
+  template:
+    src: "{{ role_path }}/templates/capture_packet_plug.conf.j2"
+    dest: /home/mesasoft/sapp_run/conf/capture_packet_plug.conf
+  tags: template
+
+- name: "Template the tsgconf/app_l7_proto_id.conf"
+  template:
+    src: "{{ role_path }}/templates/app_l7_proto_id.conf.j2"
+    dest: /home/mesasoft/sapp_run/tsgconf/app_l7_proto_id.conf
+ 
+- name: "Template the /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf"
+  template:
+    src: "{{ role_path }}/templates/tsg_conn_sketch.inf.j2"
+    dest: /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
+  tags: template
+

tsg-9140-scripts/roles/firewall/templates/app_l7_proto_id.conf.j2

@@ -0,0 +1,51 @@
+#TYPE：1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET
+#TYPE	FIELD		VALUE
+STRING	UNCATEGORIZED	100
+STRING	UNCATEGORIZED	101
+STRING	UNKNOWN_OTHER	102
+STRING	DNS		103
+STRING	FTP		104
+STRING	FTPS		105
+STRING	HTTP		106
+STRING	HTTPS		107
+STRING	ICMP		108
+STRING	IKE		109
+STRING	MAIL		110
+STRING	IMAPS		111
+STRING	IPSEC		112
+STRING	XMPP		113
+STRING	L2TP		114
+STRING	NTP		115
+STRING	POP3S		117
+STRING	PPTP		118
+STRING	QUIC		119
+STRING	SIP		120
+STRING	SMB		121
+STRING	SMTPS		123
+STRING	SPDY		124
+STRING	SSH		125
+STRING	SSL		126
+STRING	SOCKS		127
+STRING	TELNET		128
+STRING	DHCP		129
+STRING	RADIUS		130
+STRING	OPENVPN		131
+STRING	STUN		132
+STRING	TEREDO		133
+STRING	DTLS		134
+STRING	DoH		135
+STRING	ISAKMP		136
+STRING	MDNS		137
+STRING	NETBIOS		138
+STRING	NETFLOW		139
+STRING	RDP		140
+STRING	RTCP		141
+STRING	RTP		142
+STRING	SLP		143
+STRING	SNMP		144
+STRING	SSDP		145
+STRING	TFTP		146
+STRING	BJNP		147
+STRING	LDAP		148
+STRING	RTMP		149
+STRING	RTSP		150

tsg-9140-scripts/roles/firewall/templates/capture_packet_plug.conf.j2

@@ -0,0 +1,27 @@
+[MAAT]
+MAAT_MODE=2
+#EFFECTIVE_FLAG=
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=conf/capture_packet_tableinfo.conf
+STAT_FILE=capture_packet_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP=192.168.44.72
+REDIS_PORT_NUM=1
+REDIS_PORT=7002
+REDIS_INDEX=0
+JSON_CFG_FILE=conf/capture_packet_maat.json
+INC_CFG_DIR=capture_packet_rule/inc/index/
+FULL_CFG_DIR=capture_packet_rule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
+
+ACCEPT_TAGS={"tags":[{"tag":"data_center","value":"Beijing"}]}
+
+[LOG]
+NIC_NAME=enp131s0f3
+BROKER_LIST=192.168.44.12:9092
+FIELD_FILE=conf/capture_packet_log_field.conf
+
+[SYSTEM]
+LOG_LEVEL=30
+LOG_PATH=./tsglog/capture_packet_plug/capture_packet

tsg-9140-scripts/roles/firewall/templates/maat.conf.j2

@@ -0,0 +1,52 @@
+[STATIC]
+###0:location 1:json 2:redis
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=tsgconf/tsg_static_tableinfo.conf
+STAT_FILE=tsg_static_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP=192.168.44.72
+REDIS_PORT_NUM=1
+REDIS_PORT=7002
+REDIS_INDEX=0
+JSON_CFG_FILE=tsgconf/tsg_maat.json
+INC_CFG_DIR=tsgrule/inc/index/
+FULL_CFG_DIR=tsgrule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
+
+[DYNAMIC]
+###0:location 1:json 2:redis
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=tsgconf/tsg_dynamic_tableinfo.conf
+STAT_FILE=tsg_dynamic_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP=192.168.44.72
+REDIS_PORT_NUM=1
+REDIS_PORT=7002
+REDIS_INDEX=1
+JSON_CFG_FILE=tsgconf/tsg_maat.json
+INC_CFG_DIR=tsgrule/inc/index/
+FULL_CFG_DIR=tsgrule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
+
+[APP_SIGNATURE_MAAT]
+MAAT_MODE=2
+STAT_SWITCH=1
+PERF_SWITCH=1
+TABLE_INFO=tsgconf/app_sketch_tableinfo.conf
+STAT_FILE=app_sketch_maat.status
+EFFECT_INTERVAL_S=1
+REDIS_IP=192.168.44.72
+REDIS_PORT_NUM=1
+REDIS_PORT=7002
+REDIS_INDEX=0
+JSON_CFG_FILE=tsgconf/app_sketch_maat.json
+INC_CFG_DIR=tsgrule/inc/index/
+FULL_CFG_DIR=tsgrule/full/index/
+EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
+
+[MAAT]
+ACCEPT_TAGS={"tags":[{"tag":"data_center","value":"Beijing"}]}

tsg-9140-scripts/roles/firewall/templates/main.conf.j2

@@ -0,0 +1,95 @@
+[VOIP_PLUG]
+TIMEOUT=300
+LOG_PATH="./tsglog/fw_voip_plug/fw_voip_plug"
+LOG_LEVEL=30
+TABLE_TO=TSG_FIELD_SIP_TO
+TABLE_FROM=TSG_FIELD_SIP_FROM
+
+[FTP_PLUG]
+LOG_PATH="./tsglog/fw_ftp_plug/fw_ftp_plug"
+LOG_LEVEL=30
+TIMEOUT=600
+
+[MAIL_PLUG]
+LOG_PATH="./tsglog/fw_mail_plug/fw_mail_plug"
+LOG_LEVEL=30
+TIMEOUT=600
+
+[HTTP_PLUG]
+LOG_PATH="./tsglog/fw_http_plug/fw_http_plug"
+LOG_LEVEL=30
+
+[DNS_PLUG]
+LOG_PATH="./tsglog/fw_dns_plug/fw_dns_plug"
+LOG_LEVEL=30
+
+[QUIC_PLUG]
+LOG_PATH="./tsglog/fw_quic_plug/fw_quic_plug"
+LOG_LEVEL=30
+
+[CONTROL_PLUG]
+LOG_PATH="./tsglog/app_control_plug/app_control_plug"
+LOG_LEVEL=30
+
+[MAAT]
+PROFILE="./tsgconf/maat.conf"
+SUBSCRIBER_ID_TABLE="TSG_OBJ_SUBSCRIBER_ID"
+CB_SUBSCRIBER_IP_TABLE="TSG_DYN_SUBSCRIBER_IP"
+IP_ADDR_TABLE="TSG_SECURITY_ADDR"
+
+[TSG_LOG]
+MODE=1
+NIC_NAME="enp131s0f3"
+MAX_SERVICE=1
+LOG_LEVEL=30
+LOG_PATH="./tsglog/tsglog"
+BROKER_LIST="192.168.44.12:9092"
+COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf"
+
+[STATISTIC]
+CYCLE=5
+TELEGRAF_PORT=8100
+TELEGRAF_IP="127.0.0.1"
+OUTPUT_PATH="./tsg_statistic.log"
+APP_NAME="statistic"
+
+[FIELD_STAT]
+CYCLE=5
+TELEGRAF_PORT=8100
+TELEGRAF_IP="127.0.0.1"
+OUTPUT_PATH="./tsg_stat.log"
+APP_NAME="tsg_master"
+
+[SYSTEM]
+NIC_NAME="enp131s0f3"
+ENTRANCE_ID=0
+LOG_LEVEL=30
+LOG_PATH="./tsglog/tsg_master"
+POLICY_PRIORITY_LABEL="POLICY_PRIORITY"
+DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'adc' '{print $2}'"
+
+[TSG_CONN_SKETCH]
+log_service=2
+
+
+[HOS_CONF]
+hos_serverip="192.168.40.223"
+hos_serverport=9098
+hos_accesskeyid="default"
+hos_secretkey="default"
+hos_poolsize=100
+hos_thread_sum=32
+hos_cache_size=102400
+hos_fs2_serverip="127.0.0.1"
+hos_fs2_serverport=10086
+
+[APP_SKETCH_LOCAL]
+LOG_LEVEL=10
+LOG_PATH="./tsglog/app_sketch_local/app_sketch_local"
+L7_PROTOCOL_LABEL="BASIC_PROTO_LABEL"
+
+[APP_SKETCH_FEEDBACK]
+QOS=1
+PUBLISH_TOPIC="APP_SIGNATURE_ID"
+#CLIENT_ID=
+BROKER_LIST="tcp://192.168.40.161:1883"

tsg-9140-scripts/roles/firewall/templates/tsg_conn_sketch.inf.j2

@@ -0,0 +1,35 @@
+[PLUGINFO]
+PLUGNAME=TSG_CONN_SKETCH
+SO_PATH=./plug/business/tsg_conn_sketch/tsg_conn_sketch.so
+INIT_FUNC=tsg_conn_record_init
+DESTROY_FUNC=tsg_conn_record_destroy
+
+
+[TCP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_tcp_entry
+
+[TCP_ALL]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_tcpall_entry
+
+[UDP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_udp_entry
+
+[HTTP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_http_entry
+
+[SSL]
+FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL
+FUNC_NAME=tsg_record_ssl_entry
+
+#[DNS]
+#FUNC_FLAG=ALL
+#FUNC_NAME=tsg_record_dns_entry
+
+[MAIL]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_mail_entry
+

tsg-9140-scripts/roles/framework/files/framework.conf

@@ -0,0 +1 @@
+/opt/MESA/lib/

tsg-9140-scripts/roles/framework/tasks/main.yml

@@ -0,0 +1,46 @@
+- name: "copy framework rpms to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install framework packages"
+  yum:
+    name: "{{ packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    packages:
+      - /tmp/ansible_deploy/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libmaatframe-3.1.14.673eeb9-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-c-common-1.0.3.fa2adf0-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-c-event-stream-1.0.6.67fd944-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-checksums-1.0.6.8b09ac1-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-cpp-sdk-core-1.0.8.a3fe079-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libaws-cpp-sdk-s3-2.0.0.f3c33ea-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libhos-client-cpp-1.0.24.20e6f94-2.el7.x86_64.rpm  
+
+- name: "mkdir /etc/ld.so.conf.d/"
+  file:
+    path: /etc/ld.so.conf.d/
+    state: directory
+
+- name: "copy framework.conf to destination server"
+  copy:
+    src: "{{ role_path }}/files/framework.conf"
+    dest: /etc/ld.so.conf.d/
+
+- name: "update ld"
+  command: ldconfig

tsg-9140-scripts/roles/kernel-ml/files/grub

@@ -0,0 +1,8 @@
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
+GRUB_DEFAULT=saved
+GRUB_DISABLE_SUBMENU=true
+GRUB_TERMINAL="serial console"
+GRUB_SERIAL_COMMAND="serial --speed=115200"
+GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,115200 intel_iommu=on iommu=pt pci=realloc,assign-busses"
+GRUB_DISABLE_RECOVERY="true"

tsg-9140-scripts/roles/kernel-ml/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+- name: "copy framework rpms to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install kernels-ml"
+  yum:
+    name:
+      #- /tmp/ansible_deploy/pkgconfig-0.27.1-4.el7.x86_64.rpm
+      #- /tmp/ansible_deploy/zlib-devel-1.2.7-17.el7.x86_64.rpm
+      #- /tmp/ansible_deploy/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm
+      - /tmp/ansible_deploy/kernel/kernel-lt-5.4.113-1.el7.elrepo.x86_64.rpm
+      - /tmp/ansible_deploy/kernel/kernel-lt-devel-5.4.113-1.el7.elrepo.x86_64.rpm
+      #装不上报错- /tmp/ansible_deploy/dkms-2.7.1-1.el7.noarch.rpm
+    state: present
+  register: t_kernel_ml
+
+#- name: "set kernel-ml as default kernel"
+#  command: /usr/sbin/grub2-set-default 0
+#  when: t_kernel_ml.changed
+#
+#- name: "copy /etc/default/grub"
+#  copy:
+#    src: "{{ role_path }}/files/grub"
+#    dest: "/etc/default"
+#  when:
+#    - tsg_access_type == 4 or tsg_access_type == 5
+#    - t_kernel_ml.changed
+#
+#- name: "BIOS:grub2-mkconfig"
+#  shell: grub2-mkconfig -o /boot/grub2/grub.cfg
+#  when:
+#    - tsg_access_type == 4 or tsg_access_type == 5
+#    - t_kernel_ml.changed
+#
+#- name: "UEFI:grub2-mkconfig"
+#  shell: grub2-mkconfig  -o /boot/efi/EFI/centos/grub.cfg
+#  when:
+#    - tsg_access_type == 4 or tsg_access_type == 5
+#    - t_kernel_ml.changed
+#

tsg-9140-scripts/roles/kni/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: "copy kni to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install kni rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/kni-21.03.03.3cd5031-2.el7.x86_64.rpm
+    state: present
+#    skip_broken: yes
+
+- name: Template the kni.conf
+  template:
+    src: "{{ role_path }}/templates/kni.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/kni/kni.conf
+  tags: template
+
+#- name: "enable sapp"
+#  systemd:
+#    name: sapp
+#    enabled: yes
+#    daemon_reload: yes

tsg-9140-scripts/roles/kni/templates/kni.conf.j2

@@ -0,0 +1,123 @@
+[global]
+log_path = ./log/kni/kni.log
+log_level = 30
+tfe_node_count = 1
+manage_eth = enp131s0f3
+deploy_mode = normal
+tun_name = tun_kni
+src_mac_addr = 00:0e:c6:d6:72:c1
+dst_mac_addr = fe:65:b7:03:50:bd
+[tfe0]
+enabled = 1
+dev_eth_symbol = enp1s2f1
+ip_addr = 192.168.100.1
+
+[tfe_cmsg_receiver]
+listen_eth = enp131s0f3.100
+listen_port = 2475
+
+[watch_dog]
+switch = 1
+listen_eth = enp131s0f3.100
+listen_port = 2476
+keepalive_idle = 2
+keepalive_intvl = 1
+keepalive_cnt = 3
+
+[marsio]
+appsym = knifw
+
+[dup_traffic]
+switch = 1
+action = 2
+capacity = 10000000
+error_rate = 0.00001
+expiry_time = 60
+
+[traceid2pme_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 1
+mho_mutex_num = 160
+mho_hash_slot_size = 640000
+mho_hash_max_element_num = 2560000
+mho_expire_time = 30
+mho_eliminate_type = LRU
+
+#per thread
+[tuple2stream_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 0
+mho_mutex_num = 160
+mho_hash_slot_size = 80000
+mho_hash_max_element_num = 320000
+mho_expire_time = 0
+mho_eliminate_type = LRU
+
+[field_stat]
+remote_switch = 1
+remote_ip = 127.0.0.1
+remote_port = 58100
+local_path = ./fs2_kni.status
+stat_cycle = 1
+print_mode = 1
+# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
+statsd_format = 2
+APP_NAME = fs2_kni
+
+#self test Shunt rules security policy id
+[tsg_diagnose]
+enabled = 1
+security_policy_id = 3,10
+
+
+[ssl_dynamic_bypass]
+enabled = 0
+
+#kni dynamic bypass
+[traceid2sslinfo_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 1
+mho_mutex_num = 160
+mho_hash_slot_size = 80000
+mho_hash_max_element_num = 320000
+mho_expire_time = 300
+mho_eliminate_type = FIFO
+
+[sslinfo2bypass_htable]
+mho_screen_print_ctrl = 0
+mho_thread_safe = 1
+mho_mutex_num = 160
+mho_hash_slot_size = 640000
+mho_hash_max_element_num = 2560000
+mho_expire_time = 300
+mho_eliminate_type = FIFO
+
+[proxy_tcp_option]
+enabled = 1
+maat_table_compile = PXY_TCP_OPTION_COMPILE
+maat_table_addr = PXY_TCP_OPTION_ADDR
+maat_table_fqdn = PXY_TCP_OPTION_SERVER_FQDN
+enable_override = 0
+client_tcp_maxseg_enable = 0
+client_tcp_maxseg = 1460
+client_tcp_nodelay =  1
+client_tcp_ttl = 70
+client_tcp_keepalive_enable = 1
+client_tcp_keepalive_keepcnt = 8
+client_tcp_keepalive_keepidle = 30
+client_tcp_keepalive_keepintvl = 15
+client_tcp_user_timeout = 600
+server_tcp_maxseg_enable = 0
+server_tcp_maxseg = 1460
+server_tcp_nodelay = 1
+server_tcp_ttl = 75
+server_tcp_keepalive_enable = 1
+server_tcp_keepalive_keepcnt = 8
+server_tcp_keepalive_keepidle = 30
+server_tcp_keepalive_keepintvl = 15
+server_tcp_user_timeout = 600
+bypass_duplicated_packet = 0
+tcp_passthrough = 0
+
+[share_session_attribute]
+SESSION_ATTRIBUTE_LABEL=TSG_MASTER_INTERNAL_LABEL

tsg-9140-scripts/roles/maat-redis/files/maat-redis-exporter.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Redis Exporter for MAAT-REDIS
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/redis_exporter -redis.addr=redis://localhost:7002 -redis-only-metrics
+Type=simple
+
+[Install]
+WantedBy=multi-user.target
+

tsg-9140-scripts/roles/maat-redis/files/maat-redis.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Redis persistent key-value database
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/redis-server /etc/maat-redis.conf --supervised systemd
+ExecStop=/usr/libexec/redis-shutdown maat-redis
+Type=notify
+
+[Install]
+WantedBy=multi-user.target
+

tsg-9140-scripts/roles/maat-redis/tasks/main.yml

@@ -0,0 +1,31 @@
+- name: "copy maat-redis file to dest"
+  copy:
+    src: "{{ role_path }}/files/maat-redis.service"
+    dest: "/usr/lib/systemd/system"
+    mode: 0644
+
+- name: "copy maat-redis exporter file to dest"
+  copy:
+    src: "{{ role_path }}/files/maat-redis-exporter.service"
+    dest: "/usr/lib/systemd/system"
+    mode: 0644
+
+- name: "Template the maat-redis.conf"
+  template:
+    src: "{{ role_path }}/templates/maat-redis.conf.j2"
+    dest: /etc/maat-redis.conf
+  tags: template
+
+- name: "start maat-redis"
+  systemd:
+    name: maat-redis.service
+    state: started
+    daemon_reload: yes
+    enabled: yes
+
+#- name: "start maat-redis exporter"
+#  systemd:
+#    name: maat-redis-exporter.service
+#    state: started
+#    daemon_reload: yes
+#    enabled: yes

tsg-9140-scripts/roles/mrzcpd/tasks/main.yml

@@ -0,0 +1,92 @@
+---
+- name: "copy mrzcpd to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install mrzcpd"
+  yum:
+    name: /tmp/ansible_deploy/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm
+    state: present
+
+- name: "update sysconfig/mrzcpd"
+  template:
+    src: "{{ role_path }}/templates/mrzcpd.j2"
+    dest: /etc/sysconfig/mrzcpd
+
+- name: "update mrglobal.conf - TSG9140"
+  template:
+    src: "{{ role_path }}/templates/tsg_9140/mrglobal.conf.tsg_9140.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+
+- name: "copy mrapp.sapp4.conf to destination server"
+  template:
+    src: "{{ role_path }}/templates/mrapp.sapp4.conf"
+    dest: /opt/mrzcpd/etc/mrapp.sapp4.conf
+
+- name: "update mrtunnat.conf.adc_inline"
+  template:
+    src: "{{ role_path }}/templates/tsg_9140/mrtunnat.conf.tsg_9140.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+
+#- name: "enable mrenv"
+#  systemd:
+#    name: mrenv
+#    enabled: yes
+#    daemon_reload: yes
+#  when:
+#    - tsg_access_type != 0
+#
+#- name: "enable mrzcpd"
+#  systemd:
+#    name: mrzcpd
+#    enabled: yes
+#    daemon_reload: yes
+#  when:
+#    - tsg_access_type != 0
+#
+#- name: "enable prometheus output - monit_device"
+#  systemd:
+#    name: mrapm_device
+#    enabled: yes
+#    daemon_reload: yes
+#
+#- name: "enable prometheus output - monit_stream"
+#  systemd:
+#    name: mrapm_stream
+#    enabled: yes
+#    daemon_reload: yes
+#
+#- name: "enable mrtunnat on master"
+#  systemd:
+#    name: mrtunnat
+#    enabled: no
+#    daemon_reload: yes
+#  when:
+#    - nic_traffic_mirror is not defined
+#    - tsg_access_type != 0
+#
+#- name: "disable mrtunnat on slave"
+#  systemd:
+#    name: mrtunnat
+#    enabled: no
+#    daemon_reload: yes
+#  when: nic_traffic_mirror is defined
+#
+#- name: "mask mrzcpd on server_tun_mode"
+#  systemd:
+#    name: mrzcpd
+#    enabled: no
+#    masked: yes
+#    daemon_reload: yes
+#  when:
+#    - tsg_access_type == 0
+#
+#- name: "mask mrtunnat on server_tun_mode"
+#  systemd:
+#    name: mrtunnat
+#    enabled: no
+#    masked: yes
+#    daemon_reload: yes
+#  when:
+#    - tsg_access_type == 0

tsg-9140-scripts/roles/mrzcpd/templates/mrapp.sapp4.conf

@@ -0,0 +1,2 @@
+[bpfdump:vxlan_user]
+enable=1

tsg-9140-scripts/roles/mrzcpd/templates/mrzcpd.j2

@@ -0,0 +1,3 @@
+MRZCPD_ROOT=/opt/mrzcpd
+HUGEPAGE_NUM_2M=16384
+DEFAULT_UIO_MODULE="igb_uio"

tsg-9140-scripts/roles/mrzcpd/templates/tsg_9140/mrglobal.conf.tsg_9140.j2

@@ -0,0 +1,57 @@
+[device]
+device=enp1s2,enp130s2,vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=32
+
+[device:enp1s2]
+mtu=4096
+clear_tx_flags=1
+hw_strip_crc=1
+in_addr=10.254.19.1
+in_mask=255.255.255.252
+#rssmode=3
+
+[device:enp130s2]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow=4095
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+sz_tunnel=8192
+sz_buffer=0
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore=55,54,53,52
+distmode=1
+hashmode=0
+idle_threshold=10000
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=2097152
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=6
+forward_rule_0=pv,enp1s2,enp1s2
+forward_rule_1=vp,enp1s2,enp1s2
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,enp130s2,enp130s2
+forward_rule_5=vp,enp130s2,enp130s2

tsg-9140-scripts/roles/mrzcpd/templates/tsg_9140/mrtunnat.conf.tsg_9140.j2

@@ -0,0 +1,20 @@
+[tunnat]
+lcore_id=38
+appsym=tunnat
+phydev=enp130s2
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_link_info_table=1
+use_tuple4_as_sskey=0
+ctrlzone_addr_info_type=2
+idle_threshold=10000
+
+[vlan_flipping]
+enable=0
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0

tsg-9140-scripts/roles/redis/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: "redis rpm install:copy file to device"
+  copy:
+    src: '{{ role_path }}/files/'
+    dest: /tmp/ansible_deploy/
+
+
+- name: "redis rpm install:install redis"
+  yum:
+    name:
+      - "/tmp/ansible_deploy/jemalloc-3.6.0-1.el7.x86_64.rpm"
+      - "/tmp/ansible_deploy/redis40u-4.0.14-1.ius.centos7.x86_64.rpm"
+    state: present
+
+- name: "redis exporter"
+  copy:
+    src: '{{ role_path }}/files/'
+    dest: /usr/bin/
+    mode: 0755

tsg-9140-scripts/roles/sapp/files/memory.conf

@@ -0,0 +1,3 @@
+[Service]
+MemoryLimit=80G
+ExecStartPost=/bin/bash -c "echo 80G > /sys/fs/cgroup/memory/system.slice/sapp.service/memory.memsw.limit_in_bytes"