gfwleak/tsg-tsg-os-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature:TSG-10783:构建vsys os镜像

Browse Source
This commit is contained in:
fumingwei
2022-06-09 18:19:03 +08:00
parent 7e5e4f09a2
commit 39d8f71268
52 changed files with 2598 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
.gitlab-ci.yml
View File

@@ -2,7 +2,7 @@
variables:
GIT_STRATEGY: "clone"
BUILD_BASED_IMAGE_CENTOS7: "git.mesalab.cn:7443/mesa_platform/build-env:master"
BUILD_BASED_IMAGE_ROCKYLINUX8: "git.mesalab.cn:7443/mesa_platform/build-env:rockylinux"
BUILD_BASED_IMAGE_ROCKYLINUX8: "git.mesalab.cn:7443/mesa_platform/build-env:rockylinux-dindind"
.build_tsg-buildimage:
script:
@@ -79,6 +79,19 @@ feature_branch_build_TSGXP0804:
- /^rel-.*$/i
- /^update-.*$/i
feature_branch_build_TSGXP0906:
image: $BUILD_BASED_IMAGE_ROCKYLINUX8
stage: build
extends: .build_tsg-buildimage
variables:
PROFILE_LIST: TSGXNXR620G40R01P0906
DALIY_BUILD_VERSION: 1
except:
- tags
- /^dev-.*$/i
- /^rel-.*$/i
- /^update-.*$/i
feature_branch_build_server_unlocked:
image: $BUILD_BASED_IMAGE_CENTOS7
stage: build
@@ -177,6 +190,20 @@ develop_build_TSGXP0804:
only:
- /^dev-.*$/i
develop_build_TSGXP0906:
image: $BUILD_BASED_IMAGE_ROCKYLINUX8
stage: build
extends: .build_tsg-buildimage
variables:
PROFILE_LIST: TSGXNXR620G40R01P0906
UPLOAD_TO_FILE_REPO: 1
PULP3_FILE_REPO_NAME: tsg-os-images-develop
PULP3_FILE_DIST_NAME: tsg-os-images-develop
DALIY_BUILD_VERSION: 1
FILE_REPO_PATH: install/develop/tsg-os-images
only:
- /^dev-.*$/i
develop_build_server_unlocked:
image: $BUILD_BASED_IMAGE_CENTOS7
stage: build
@@ -277,6 +304,20 @@ testing_build_TSGXP0804:
only:
- /^rel-.*$/i
testing_build_TSGXP0906:
image: $BUILD_BASED_IMAGE_ROCKYLINUX8
stage: build
extends: .build_tsg-buildimage
variables:
PROFILE_LIST: TSGXNXR620G40R01P0906
UPLOAD_TO_FILE_REPO: 1
PULP3_FILE_REPO_NAME: tsg-os-images-testing
PULP3_FILE_DIST_NAME: tsg-os-images-testing
FILE_REPO_PATH: install/testing/tsg-os-images
DALIY_BUILD_VERSION: 1
only:
- /^rel-.*$/i
testing_build_server_unlocked:
image: $BUILD_BASED_IMAGE_CENTOS7
stage: build
@@ -377,6 +418,20 @@ rc_build_TSGXP0804:
only:
- /^.*-rc.*$/i
rc_build_TSGXP0906:
image: $BUILD_BASED_IMAGE_ROCKYLINUX8
stage: build
extends: .build_tsg-buildimage
variables:
PROFILE_LIST: TSGXNXR620G40R01P0906
UPLOAD_TO_FILE_REPO: 1
DALIY_BUILD_VERSION: 0
PULP3_FILE_REPO_NAME: tsg-os-images-rc
PULP3_FILE_DIST_NAME: tsg-os-images-rc
FILE_REPO_PATH: install/rc/tsg-os-images
only:
- /^.*-rc.*$/i
rc_build_server_unlocked:
image: $BUILD_BASED_IMAGE_CENTOS7
stage: build
@@ -487,6 +542,22 @@ release_build_TSGXP0804:
except:
- /^.*-rc.*$/i
release_build_TSGXP0906:
image: $BUILD_BASED_IMAGE_ROCKYLINUX8
stage: build
extends: .build_tsg-buildimage
variables:
PROFILE_LIST: TSGXNXR620G40R01P0906
UPLOAD_TO_FILE_REPO: 1
DALIY_BUILD_VERSION: 0
PULP3_FILE_REPO_NAME: tsg-os-images-release
PULP3_FILE_DIST_NAME: tsg-os-images-release
FILE_REPO_PATH: install/release/tsg-os-images
only:
- tags
except:
- /^.*-rc.*$/i
release_build_server_unlocked:
image: $BUILD_BASED_IMAGE_CENTOS7
stage: build

120
ansible/HAL_deploy.yml
View File

@@ -1,10 +1,3 @@
- hosts: all
remote_user: root
vars_files:
- install_config/group_vars/rpm_version.yml
roles:
- {role: rpm_download, tags: rpm_download}
- hosts: 7400-MCN0-P01R01
remote_user: root
vars_files:
@@ -141,4 +134,115 @@
- {role: wire_graft, tags: wire_graft}
- {role: tsg-os-provision-condition, tags: tsg-os-provision-condition}
- {role: hasp, tags: hasp}
- {role: OFED, tags: OFED}
- {role: OFED, tags: OFED}
- hosts: TSG-X-NXR620G40-R01-P0906
remote_user: root
vars_files:
- install_config/group_vars/HAL_TSGXNXR620G40R01P0906.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: k3s-install, tags: k3s-install}
- {role: tsg-os-provision, tags: tsg-os-provision}
- {role: tsg_device_tag, tags: tsg_device_tag}
- {role: tsg_sn, tags: tsg_sn}
- {role: framework, tags: framework}
- {role: mrzcpd, tags: mrzcpd}
- {role: redis, tags: redis}
- {role: exporter, tags: exporter}
- {role: docker, tags: docker}
- {role: tsg-diagnose, tags: tsg-diagnose}
- {role: tsg-exporter-proxy-TSGXP0804, tags: tsg-exporter-proxy-TSGXP0804}
- {role: vsys, tags: vsys}
- {role: system-init-TSG-X-P1403, tags: system-init-TSG-X-P1403}
- {role: system-init, tags: system-init}
- {role: tsg-os-provision-condition, tags: tsg-os-provision-condition}
- {role: hasp, tags: hasp}
- {role: OFED, tags: OFED}
- hosts: TSG-X-NXR620G40-R01-P0906-init
remote_user: root
vars_files:
- install_config/group_vars/HAL_TSGXNXR620G40R01P0906.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: tsg-os-provision, tags: tsg-os-provision}
- {role: container-tools-install, tags: container-tools-install}
- {role: tsg_sn, tags: tsg_sn}
- {role: framework, tags: framework}
- {role: mrzcpd, tags: mrzcpd}
- {role: sapp, tags: sapp}
- {role: tsg_master, tags: tsg_master}
- {role: kni, tags: kni}
- {role: firewall, tags: firewall}
- {role: tsg_app, tags: tsg_app}
- {role: redis, tags: redis}
- {role: certstore, tags: certstore}
- {role: tfe, tags: tfe}
- {role: telegraf_statistic, tags: telegraf_statistic}
- {role: wannat_wangw, tags: wannat_wangw}
- {role: wannat_common, tags: wannat_common}
- {role: wire_graft, tags: wire_graft}
- hosts: TSG-X-NXR620G40-R01-P0906-firewall
remote_user: root
vars_files:
- install_config/group_vars/HAL_TSGXNXR620G40R01P0906.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: tsg-os-provision, tags: tsg-os-provision}
- {role: container-tools-install, tags: container-tools-install}
- {role: framework, tags: framework}
- {role: mrzcpd, tags: mrzcpd}
- {role: sapp, tags: sapp}
- {role: tsg_master, tags: tsg_master}
- {role: kni, tags: kni}
- {role: firewall, tags: firewall}
- {role: tsg_app, tags: tsg_app}
- {role: wannat_wangw, tags: wannat_wangw}
- {role: wannat_common, tags: wannat_common}
- {role: wire_graft, tags: wire_graft}
- {role: hasp, tags: hasp}
- hosts: TSG-X-NXR620G40-R01-P0906-proxy
remote_user: root
vars_files:
- install_config/group_vars/HAL_TSGXNXR620G40R01P0906.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: tsg-os-provision, tags: tsg-os-provision}
- {role: container-tools-install, tags: container-tools-install}
- {role: framework, tags: framework}
- {role: mrzcpd, tags: mrzcpd}
- {role: tfe, tags: tfe}
- {role: hasp, tags: hasp}
- hosts: TSG-X-NXR620G40-R01-P0906-certstore
remote_user: root
vars_files:
- install_config/group_vars/HAL_TSGXNXR620G40R01P0906.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: tsg-os-provision, tags: tsg-os-provision}
- {role: container-tools-install, tags: container-tools-install}
- {role: framework, tags: framework}
- {role: redis, tags: redis}
- {role: certstore, tags: certstore}
- hosts: TSG-X-NXR620G40-R01-P0906-telegraf
remote_user: root
vars_files:
- install_config/group_vars/HAL_TSGXNXR620G40R01P0906.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: tsg-os-provision, tags: tsg-os-provision}
- {role: container-tools-install, tags: container-tools-install}
- {role: telegraf_statistic, tags: telegraf_statistic}
- hosts: server
remote_user: root
vars_files:
- install_config/group_vars/rpm_version.yml
roles:
- {role: rpm_download, tags: rpm_download}

62
ansible/install_config/group_vars/HAL_TSGXNXR620G40R01P0906.yml Normal file
View File

@@ -0,0 +1,62 @@
control_and_policy:
nic_name: "{% raw %}{{ network_setting.nic_policy_log.name }}{% endraw %}"
workload_zcpd:
cpu_affinity: "{% raw %}{{ workload_zcpd_cpu_affinity }}{% endraw %}"
hugepage_num_1G: 32
workload_firewall:
cpu_affinity: " "
worker_threads: 1
send_only_threads_max: 0
workload_proxy:
enable_cpu_affinity: 0
cpu_affinity: "{% raw %}{{ workload_proxy_cpu_affinity }}{% endraw %}"
worker_thread: "{% raw %}{{ workload_proxy_worker_thread }}{% endraw %}"
dp_traffic_mirror:
nic_name: "{% raw %}{{ network_setting.nic_mirror.name }}{% endraw %}"
traffic_mirror_vlan_id: 0
dp_steering_firewall:
#deloyment value: mirror,inline, transparent. mirror = one arm + mirror, inline = one arm + series, transparent = two arm + series
deployment: inline
#encapsulation value: vlan, vxlan, raw, provision
encapsulation: vxlan
# capture_packet value: pcap, driver
capture_packet: driver
nic_internal: "{% raw %}{{ network_setting.nic_raw.name }}{% endraw %}"
enable_mirror: 1
dp_steering_proxy:
###### location: value {local, foreign}
location: local
tun_mode: yes
node_list:
- nic_name: virtio_kni
dp_certstore:
location: local
dp_proxy:
nic_name_data_incoming: virtio_kni
mac_addr_data_incoming: 00:0e:c6:d6:72:c1
enable_traffic_mirror: 1
traffic_mirror_type: 1
prefix_path:
mrzcpd: /opt/tsg/mrzcpd
framework: /opt/tsg/framework
sapp: /opt/tsg/sapp
monitor:
enable_redis_exporter: 0
enable_ipmi_exporter: 0
diagnose:
virtual_server_nic: virtio_dign_s
virtual_client_nic: virtio_dign_c
### TSG-server, TSG-7400-mcn0 TSG-7400-mcn123 TSG-9140
runtime_env: TSG-X-P0906

10
ansible/roles/OFED/tasks/main.yml
View File

@@ -25,29 +25,29 @@
src: /tmp/OFED/MLNX_OFED_SRC-5.6-2.0.9.0.tgz
dest: /tmp/OFED/unarchived/
remote_src: yes
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "Get linux kernel file path"
shell: uname -r
register: obtain_kernel_version
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "execute OFED installer"
shell: /tmp/OFED/unarchived/MLNX_OFED_SRC-5.6-2.0.9.0/install.pl -k {{obtain_kernel_version.stdout}} --all --force
environment:
MAKEFLAGS :
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "unarchive MFT RPM"
unarchive:
src: /tmp/OFED/mft-4.20.0-34-x86_64-rpm.tgz
dest: /tmp/OFED/unarchived/
remote_src: yes
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "execute MFT installer"
shell: /tmp/OFED/unarchived/mft-4.20.0-34-x86_64-rpm/install.sh
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
######TSG-X-P0804 install end ######

9
ansible/roles/certstore/tasks/main.yml
View File

@@ -5,6 +5,15 @@
#- name: "Install certstore"
# shell: rpm -i /tmp/rpm_download/{{ certstore_rpm_version.certstore }}*
- name: "download rpm packages: certstore"
yum:
name:
- "{{ certstore_rpm_version.certstore }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Get certstore rpm path"
find:
path: /tmp/rpm_download/

76
ansible/roles/container-tools-install/tasks/main.yml Normal file
View File

@@ -0,0 +1,76 @@
- name: "install ansible"
yum:
name: ansible
conf_file: "{{ rpm_repo_config_path }}"
state: present
when: PROFILE_ID == 'TSG-X-NXR620G40-R01-P0906-init'
- name: "Generate ansiblg.cfg after ansible upgrade in rockylinux8"
shell: ansible-config init --disabled > /etc/ansible/ansible.cfg
when: PROFILE_ID == 'TSG-X-NXR620G40-R01-P0906-init'
- name: 'change ansible hash_behaviour value replace to merge'
lineinfile:
path: /etc/ansible/ansible.cfg
backrefs: yes
regexp: "^(.*hash_behaviour.*=.*replace.*)$"
line: '\1\nhash_behaviour = merge'
when: PROFILE_ID == 'TSG-X-NXR620G40-R01-P0906-init'
- name: 'install psutil'
shell: pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple psutil
when: PROFILE_ID == 'TSG-X-NXR620G40-R01-P0906-init'
- name: "install tcpdump"
yum:
name: tcpdump
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install numactl-libs"
yum:
name: numactl-libs
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install iproute"
yum:
name: iproute
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install iptables"
yum:
name: iptables
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install procps"
yum:
name: procps
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install net-tools"
yum:
name: net-tools
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install ethtool"
yum:
name: ethtool
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install gdb"
yum:
name: gdb
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install ipmitool"
yum:
name: ipmitool
conf_file: "{{ rpm_repo_config_path }}"
state: present

11
ansible/roles/exporter/tasks/main.yml
View File

@@ -1,3 +1,14 @@
- name: "download rpm packages: freeipmi"
yum:
name: "{{ item }}"
conf_file: "{{ rpm_repo_config_path }}"
state: latest
download_only: yes
download_dir: "{{ path_download }}"
with_items:
- freeipmi
- systemd-sysv
- name: "Get freeipmi rpm path"
find:
path: /tmp/rpm_download/

9
ansible/roles/firewall/tasks/main.yml
View File

@@ -1,4 +1,13 @@
---
- name: "download rpm packages: firewall"
yum:
name: "{{ item.value }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ firewall_rpm_version }}"
- name: "Install firwall that are sapp plugins"
shell: rpm -i /tmp/rpm_download/{{ item.value }}* --prefix {{ prefix_path.sapp }}
with_dict: "{{ firewall_rpm_version }}"

9
ansible/roles/framework/tasks/main.yml
View File

@@ -11,6 +11,15 @@
- rsyslog-kafka
- librdkafka
- name: "download rpm packages: framework"
yum:
name: "{{ item.value }}"
state: present
conf_file: "{{ rpm_repo_config_path }}"
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ framework_rpm_version }}"
- name: "Install frameworks"
shell: rpm -i /tmp/rpm_download/{{ item.value }}* --prefix {{ prefix_path.framework }}
with_dict: "{{ framework_rpm_version }}"

9
ansible/roles/hasp/tasks/main.yml
View File

@@ -3,6 +3,15 @@
src: '{{ role_path }}/files/aksusbd-8.23-1.x86_64.rpm'
dest: /tmp/ansible_deploy/
- name: "download rpm packages: hasp_update"
yum:
name:
- "{{ hasp_update_rpm_version.hasp_update }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "aksusbd rpm install: install aksusbd"
yum:
name:

8
ansible/roles/http_healthcheck/tasks/main.yml
View File

@@ -1,2 +1,10 @@
- name: "download rpm packages: http_healthcheck"
yum:
name: "{{ http_healthcheck_rpm_version.http_healthcheck }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Install http_healthcheck that is sapp plugins"
shell: rpm -i /tmp/rpm_download/{{ http_healthcheck_rpm_version.http_healthcheck }}* --prefix {{ prefix_path.sapp }}

BIN
ansible/roles/k3s-install/files/k3s Normal file
View File

Binary file not shown.

969
ansible/roles/k3s-install/files/k3s-install.sh Normal file
View File

@@ -0,0 +1,969 @@
#!/bin/sh
set -e
set -o noglob
# Usage:
# curl ... | ENV_VAR=... sh -
# or
# ENV_VAR=... ./install.sh
#
# Example:
# Installing a server without traefik:
# curl ... | INSTALL_K3S_EXEC="--disable=traefik" sh -
# Installing an agent to point at a server:
# curl ... | K3S_TOKEN=xxx K3S_URL=https://server-url:6443 sh -
#
# Environment variables:
# - K3S_*
# Environment variables which begin with K3S_ will be preserved for the
# systemd service to use. Setting K3S_URL without explicitly setting
# a systemd exec command will default the command to "agent", and we
# enforce that K3S_TOKEN or K3S_CLUSTER_SECRET is also set.
#
# - INSTALL_K3S_SKIP_DOWNLOAD
# If set to true will not download k3s hash or binary.
#
# - INSTALL_K3S_FORCE_RESTART
# If set to true will always restart the K3s service
#
# - INSTALL_K3S_SYMLINK
# If set to 'skip' will not create symlinks, 'force' will overwrite,
# default will symlink if command does not exist in path.
#
# - INSTALL_K3S_SKIP_ENABLE
# If set to true will not enable or start k3s service.
#
# - INSTALL_K3S_SKIP_START
# If set to true will not start k3s service.
#
# - INSTALL_K3S_VERSION
# Version of k3s to download from github. Will attempt to download from the
# stable channel if not specified.
#
# - INSTALL_K3S_COMMIT
# Commit of k3s to download from temporary cloud storage.
# * (for developer & QA use)
#
# - INSTALL_K3S_BIN_DIR
# Directory to install k3s binary, links, and uninstall script to, or use
# /usr/local/bin as the default
#
# - INSTALL_K3S_BIN_DIR_READ_ONLY
# If set to true will not write files to INSTALL_K3S_BIN_DIR, forces
# setting INSTALL_K3S_SKIP_DOWNLOAD=true
#
# - INSTALL_K3S_SYSTEMD_DIR
# Directory to install systemd service and environment files to, or use
# /etc/systemd/system as the default
#
# - INSTALL_K3S_EXEC or script arguments
# Command with flags to use for launching k3s in the systemd service, if
# the command is not specified will default to "agent" if K3S_URL is set
# or "server" if not. The final systemd command resolves to a combination
# of EXEC and script args ($@).
#
# The following commands result in the same behavior:
# curl ... | INSTALL_K3S_EXEC="--disable=traefik" sh -s -
# curl ... | INSTALL_K3S_EXEC="server --disable=traefik" sh -s -
# curl ... | INSTALL_K3S_EXEC="server" sh -s - --disable=traefik
# curl ... | sh -s - server --disable=traefik
# curl ... | sh -s - --disable=traefik
#
# - INSTALL_K3S_NAME
# Name of systemd service to create, will default from the k3s exec command
# if not specified. If specified the name will be prefixed with 'k3s-'.
#
# - INSTALL_K3S_TYPE
# Type of systemd service to create, will default from the k3s exec command
# if not specified.
#
# - INSTALL_K3S_MIRROR
# For Chinese users, set INSTALL_K3S_MIRROR=cn to use the mirror address to accelerate
# k3s binary file download, and the default mirror address is mirror_k3s.rancher.cn
#
# - INSTALL_K3S_SELINUX_WARN
# If set to true will continue if k3s-selinux policy is not found.
#
# - INSTALL_K3S_SKIP_SELINUX_RPM
# If set to true will skip automatic installation of the k3s RPM.
#
# - INSTALL_K3S_CHANNEL_URL
# Channel URL for fetching k3s download URL.
# Defaults to 'https://update.k3s.io/v1-release/channels'.
#
# - INSTALL_K3S_CHANNEL
# Channel to use for fetching k3s download URL.
# Defaults to 'stable'.
#
# - INSTALL_K3S_REGISTRIES
# Setup a custom Registry or Mirror
# Defaults to null.
GITHUB_URL=https://github.com/k3s-io/k3s/releases
STORAGE_URL=https://storage.googleapis.com/k3s-ci-builds
DOWNLOADER=
INSTALL_K3S_MIRROR_URL=${INSTALL_K3S_MIRROR_URL:-'https://rancher-mirror.rancher.cn'}
# --- helper functions for logs ---
info()
{
echo '[INFO] ' "$@"
}
warn()
{
echo '[WARN] ' "$@" >&2
}
fatal()
{
echo '[ERROR] ' "$@" >&2
exit 1
}
# --- fatal if no systemd or openrc ---
verify_system() {
if [ -x /sbin/openrc-run ]; then
HAS_OPENRC=true
return
fi
if [ -x /bin/systemctl ] || type systemctl > /dev/null 2>&1; then
HAS_SYSTEMD=true
return
fi
fatal 'Can not find systemd or openrc to use as a process supervisor for k3s'
}
# --- add quotes to command arguments ---
quote() {
for arg in "$@"; do
printf '%s\n' "$arg" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"
done
}
# --- add indentation and trailing slash to quoted args ---
quote_indent() {
printf ' \\\n'
for arg in "$@"; do
printf '\t%s \\\n' "$(quote "$arg")"
done
}
# --- escape most punctuation characters, except quotes, forward slash, and space ---
escape() {
printf '%s' "$@" | sed -e 's/\([][!#$%&()*;<=>?\_`{|}]\)/\\\1/g;'
}
# --- escape double quotes ---
escape_dq() {
printf '%s' "$@" | sed -e 's/"/\\"/g'
}
# --- ensures $K3S_URL is empty or begins with https://, exiting fatally otherwise ---
verify_k3s_url() {
case "${K3S_URL}" in
"")
;;
https://*)
;;
*)
fatal "Only https:// URLs are supported for K3S_URL (have ${K3S_URL})"
;;
esac
}
# --- Setup a custom Registry or Mirror
setup_registry() {
REGISTRIES_FILE="/etc/rancher/k3s/registries.yaml"
if [ "${INSTALL_K3S_REGISTRIES}" -a ! -f "$REGISTRIES_FILE" ]; then
INSTALL_K3S_REGISTRIES=`echo ${INSTALL_K3S_REGISTRIES} | awk '{gsub(/,/," "); print $0}'`
$SUDO mkdir -p `dirname $REGISTRIES_FILE`
$SUDO cat >> $REGISTRIES_FILE <<EOF
mirrors:
"docker.io":
endpoint:
EOF
for registry in ${INSTALL_K3S_REGISTRIES}; do
echo " - $registry" >> "$REGISTRIES_FILE"
done
fi
}
# --- define needed environment variables ---
setup_env() {
# --- use command args if passed or create default ---
case "$1" in
# --- if we only have flags discover if command should be server or agent ---
(-*|"")
if [ -z "${K3S_URL}" ]; then
CMD_K3S=server
else
if [ -z "${K3S_TOKEN}" ] && [ -z "${K3S_TOKEN_FILE}" ] && [ -z "${K3S_CLUSTER_SECRET}" ]; then
fatal "Defaulted k3s exec command to 'agent' because K3S_URL is defined, but K3S_TOKEN, K3S_TOKEN_FILE or K3S_CLUSTER_SECRET is not defined."
fi
CMD_K3S=agent
fi
;;
# --- command is provided ---
(*)
CMD_K3S=$1
shift
;;
esac
verify_k3s_url
CMD_K3S_EXEC="${CMD_K3S}$(quote_indent "$@")"
# --- use systemd name if defined or create default ---
if [ -n "${INSTALL_K3S_NAME}" ]; then
SYSTEM_NAME=k3s-${INSTALL_K3S_NAME}
else
if [ "${CMD_K3S}" = server ]; then
SYSTEM_NAME=k3s
else
SYSTEM_NAME=k3s-${CMD_K3S}
fi
fi
# --- check for invalid characters in system name ---
valid_chars=$(printf '%s' "${SYSTEM_NAME}" | sed -e 's/[][!#$%&()*;<=>?\_`{|}/[:space:]]/^/g;' )
if [ "${SYSTEM_NAME}" != "${valid_chars}" ]; then
invalid_chars=$(printf '%s' "${valid_chars}" | sed -e 's/[^^]/ /g')
fatal "Invalid characters for system name:
${SYSTEM_NAME}
${invalid_chars}"
fi
# --- use sudo if we are not already root ---
SUDO=sudo
if [ $(id -u) -eq 0 ]; then
SUDO=
fi
# --- use systemd type if defined or create default ---
if [ -n "${INSTALL_K3S_TYPE}" ]; then
SYSTEMD_TYPE=${INSTALL_K3S_TYPE}
else
if [ "${CMD_K3S}" = server ]; then
SYSTEMD_TYPE=notify
else
SYSTEMD_TYPE=exec
fi
fi
# --- use binary install directory if defined or create default ---
if [ -n "${INSTALL_K3S_BIN_DIR}" ]; then
BIN_DIR=${INSTALL_K3S_BIN_DIR}
else
# --- use /usr/local/bin if root can write to it, otherwise use /opt/bin if it exists
BIN_DIR=/usr/local/bin
if ! $SUDO sh -c "touch ${BIN_DIR}/k3s-ro-test && rm -rf ${BIN_DIR}/k3s-ro-test"; then
if [ -d /opt/bin ]; then
BIN_DIR=/opt/bin
fi
fi
fi
# --- use systemd directory if defined or create default ---
if [ -n "${INSTALL_K3S_SYSTEMD_DIR}" ]; then
SYSTEMD_DIR="${INSTALL_K3S_SYSTEMD_DIR}"
else
SYSTEMD_DIR=/etc/systemd/system
fi
# --- set related files from system name ---
SERVICE_K3S=${SYSTEM_NAME}.service
UNINSTALL_K3S_SH=${UNINSTALL_K3S_SH:-${BIN_DIR}/${SYSTEM_NAME}-uninstall.sh}
KILLALL_K3S_SH=${KILLALL_K3S_SH:-${BIN_DIR}/k3s-killall.sh}
# --- use service or environment location depending on systemd/openrc ---
if [ "${HAS_SYSTEMD}" = true ]; then
FILE_K3S_SERVICE=${SYSTEMD_DIR}/${SERVICE_K3S}
FILE_K3S_ENV=${SYSTEMD_DIR}/${SERVICE_K3S}.env
elif [ "${HAS_OPENRC}" = true ]; then
$SUDO mkdir -p /etc/rancher/k3s
FILE_K3S_SERVICE=/etc/init.d/${SYSTEM_NAME}
FILE_K3S_ENV=/etc/rancher/k3s/${SYSTEM_NAME}.env
fi
# --- get hash of config & exec for currently installed k3s ---
PRE_INSTALL_HASHES=$(get_installed_hashes)
# --- if bin directory is read only skip download ---
if [ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ]; then
INSTALL_K3S_SKIP_DOWNLOAD=true
fi
# --- setup channel values
if [ "${INSTALL_K3S_MIRROR}" = cn ]; then
INSTALL_K3S_CHANNEL_URL="${INSTALL_K3S_MIRROR_URL}/k3s/channels"
else
INSTALL_K3S_CHANNEL_URL=${INSTALL_K3S_CHANNEL_URL:-'https://update.k3s.io/v1-release/channels'}
fi
INSTALL_K3S_CHANNEL=${INSTALL_K3S_CHANNEL:-'stable'}
}
# --- check if skip download environment variable set ---
can_skip_download() {
if [ "${INSTALL_K3S_SKIP_DOWNLOAD}" != true ]; then
return 1
fi
}
# --- verify an executable k3s binary is installed ---
verify_k3s_is_executable() {
if [ ! -x ${BIN_DIR}/k3s ]; then
fatal "Executable k3s binary not found at ${BIN_DIR}/k3s"
fi
}
# --- set arch and suffix, fatal if architecture not supported ---
setup_verify_arch() {
if [ -z "$ARCH" ]; then
ARCH=$(uname -m)
fi
case $ARCH in
amd64)
ARCH=amd64
SUFFIX=
;;
x86_64)
ARCH=amd64
SUFFIX=
;;
arm64)
ARCH=arm64
SUFFIX=-${ARCH}
;;
s390x)
ARCH=s390x
SUFFIX=-${ARCH}
;;
aarch64)
ARCH=arm64
SUFFIX=-${ARCH}
;;
arm*)
ARCH=arm
SUFFIX=-${ARCH}hf
;;
*)
fatal "Unsupported architecture $ARCH"
esac
}
# --- verify existence of network downloader executable ---
verify_downloader() {
# Return failure if it doesn't exist or is no executable
[ -x "$(command -v $1)" ] || return 1
# Set verified executable as our downloader program and return success
DOWNLOADER=$1
return 0
}
# --- create temporary directory and cleanup when done ---
setup_tmp() {
TMP_DIR=$(mktemp -d -t k3s-install.XXXXXXXXXX)
TMP_HASH=${TMP_DIR}/k3s.hash
TMP_BIN=${TMP_DIR}/k3s.bin
cleanup() {
code=$?
set +e
trap - EXIT
rm -rf ${TMP_DIR}
exit $code
}
trap cleanup INT EXIT
}
# --- use desired k3s version if defined or find version from channel ---
get_release_version() {
if [ -n "${INSTALL_K3S_COMMIT}" ]; then
VERSION_K3S="commit ${INSTALL_K3S_COMMIT}"
elif [ -n "${INSTALL_K3S_VERSION}" ]; then
VERSION_K3S=${INSTALL_K3S_VERSION}
else
info "Finding release for channel ${INSTALL_K3S_CHANNEL}"
version_url="${INSTALL_K3S_CHANNEL_URL}/${INSTALL_K3S_CHANNEL}"
case $DOWNLOADER in
curl)
if [ "${INSTALL_K3S_MIRROR}" = cn ]; then
VERSION_K3S=$(curl -s -S ${version_url})
else
VERSION_K3S=$(curl -w '%{url_effective}' -L -s -S ${version_url} -o /dev/null | sed -e 's|.*/||')
fi
;;
wget)
if [ "${INSTALL_K3S_MIRROR}" = cn ]; then
VERSION_K3S=$(wget -qO - ${version_url})
else
VERSION_K3S=$(wget -SqO /dev/null ${version_url} 2>&1 | grep -i Location | sed -e 's|.*/||')
fi
;;
*)
fatal "Incorrect downloader executable '$DOWNLOADER'"
;;
esac
fi
info "Using ${VERSION_K3S} as release"
}
# --- download from github url ---
download() {
[ $# -eq 2 ] || fatal 'download needs exactly 2 arguments'
case $DOWNLOADER in
curl)
curl -o $1 -sfL $2
;;
wget)
wget -qO $1 $2
;;
*)
fatal "Incorrect executable '$DOWNLOADER'"
;;
esac
# Abort if download command failed
[ $? -eq 0 ] || fatal 'Download failed'
}
# --- download hash from github url ---
download_hash() {
if [ -n "${INSTALL_K3S_COMMIT}" ]; then
HASH_URL=${STORAGE_URL}/k3s${SUFFIX}-${INSTALL_K3S_COMMIT}.sha256sum
elif [ "${INSTALL_K3S_MIRROR}" = cn ]; then
VERSION_K3S=$( echo ${VERSION_K3S} | sed 's/+/-/g' )
HASH_URL=${INSTALL_K3S_MIRROR_URL}/k3s/${VERSION_K3S}/sha256sum-${ARCH}.txt
else
HASH_URL=${GITHUB_URL}/download/${VERSION_K3S}/sha256sum-${ARCH}.txt
fi
info "Downloading hash ${HASH_URL}"
download ${TMP_HASH} ${HASH_URL}
HASH_EXPECTED=$(grep " k3s${SUFFIX}$" ${TMP_HASH})
HASH_EXPECTED=${HASH_EXPECTED%%[[:blank:]]*}
}
# --- check hash against installed version ---
installed_hash_matches() {
if [ -x ${BIN_DIR}/k3s ]; then
HASH_INSTALLED=$(sha256sum ${BIN_DIR}/k3s)
HASH_INSTALLED=${HASH_INSTALLED%%[[:blank:]]*}
if [ "${HASH_EXPECTED}" = "${HASH_INSTALLED}" ]; then
return
fi
fi
return 1
}
# --- download binary from github url ---
download_binary() {
if [ -n "${INSTALL_K3S_COMMIT}" ]; then
BIN_URL=${STORAGE_URL}/k3s${SUFFIX}-${INSTALL_K3S_COMMIT}
elif [ "${INSTALL_K3S_MIRROR}" = cn ]; then
VERSION_K3S=$( echo ${VERSION_K3S} | sed 's/+/-/g' )
BIN_URL=${INSTALL_K3S_MIRROR_URL}/k3s/${VERSION_K3S}/k3s${SUFFIX}
else
BIN_URL=${GITHUB_URL}/download/${VERSION_K3S}/k3s${SUFFIX}
fi
info "Downloading binary ${BIN_URL}"
download ${TMP_BIN} ${BIN_URL}
}
# --- verify downloaded binary hash ---
verify_binary() {
info "Verifying binary download"
HASH_BIN=$(sha256sum ${TMP_BIN})
HASH_BIN=${HASH_BIN%%[[:blank:]]*}
if [ "${HASH_EXPECTED}" != "${HASH_BIN}" ]; then
fatal "Download sha256 does not match ${HASH_EXPECTED}, got ${HASH_BIN}"
fi
}
# --- setup permissions and move binary to system directory ---
setup_binary() {
chmod 755 ${TMP_BIN}
info "Installing k3s to ${BIN_DIR}/k3s"
$SUDO chown root:root ${TMP_BIN}
$SUDO mv -f ${TMP_BIN} ${BIN_DIR}/k3s
}
# --- setup selinux policy ---
setup_selinux() {
case ${INSTALL_K3S_CHANNEL} in
*testing)
rpm_channel=testing
;;
*latest)
rpm_channel=latest
;;
*)
rpm_channel=stable
;;
esac
rpm_site="rpm.rancher.io"
if [ "${rpm_channel}" = "testing" ]; then
rpm_site="rpm-testing.rancher.io"
fi
[ -r /etc/os-release ] && . /etc/os-release
if [ "${ID_LIKE%%[ ]*}" = "suse" ]; then
rpm_target=sle
rpm_site_infix=microos
package_installer=zypper
elif [ "${VERSION_ID%%.*}" = "7" ]; then
rpm_target=el7
rpm_site_infix=centos/7
package_installer=yum
else
rpm_target=el8
rpm_site_infix=centos/8
package_installer=yum
fi
if [ "${package_installer}" = "yum" ] && [ -x /usr/bin/dnf ]; then
package_installer=dnf
fi
policy_hint="please install:
${package_installer} install -y container-selinux
${package_installer} install -y https://${rpm_site}/k3s/${rpm_channel}/common/${rpm_site_infix}/noarch/k3s-selinux-0.4-1.${rpm_target}.noarch.rpm
"
if [ "$INSTALL_K3S_SKIP_SELINUX_RPM" = true ] || can_skip_download || [ ! -d /usr/share/selinux ]; then
info "Skipping installation of SELinux RPM"
elif [ "${ID_LIKE:-}" != coreos ] && [ "${VARIANT_ID:-}" != coreos ]; then
install_selinux_rpm ${rpm_site} ${rpm_channel} ${rpm_target} ${rpm_site_infix}
fi
policy_error=fatal
if [ "$INSTALL_K3S_SELINUX_WARN" = true ] || [ "${ID_LIKE:-}" = coreos ] || [ "${VARIANT_ID:-}" = coreos ]; then
policy_error=warn
fi
if ! $SUDO chcon -u system_u -r object_r -t container_runtime_exec_t ${BIN_DIR}/k3s >/dev/null 2>&1; then
if $SUDO grep '^\s*SELINUX=enforcing' /etc/selinux/config >/dev/null 2>&1; then
$policy_error "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, ${policy_hint}"
fi
elif [ ! -f /usr/share/selinux/packages/k3s.pp ]; then
if [ -x /usr/sbin/transactional-update ]; then
warn "Please reboot your machine to activate the changes and avoid data loss."
else
$policy_error "Failed to find the k3s-selinux policy, ${policy_hint}"
fi
fi
}
install_selinux_rpm() {
if [ -r /etc/redhat-release ] || [ -r /etc/centos-release ] || [ -r /etc/oracle-release ] || [ "${ID_LIKE%%[ ]*}" = "suse" ]; then
repodir=/etc/yum.repos.d
if [ -d /etc/zypp/repos.d ]; then
repodir=/etc/zypp/repos.d
fi
set +o noglob
$SUDO rm -f ${repodir}/rancher-k3s-common*.repo
set -o noglob
if [ -r /etc/redhat-release ] && [ "${3}" = "el7" ]; then
$SUDO yum install -y yum-utils
$SUDO yum-config-manager --enable rhel-7-server-extras-rpms
fi
$SUDO tee ${repodir}/rancher-k3s-common.repo >/dev/null << EOF
[rancher-k3s-common-${2}]
name=Rancher K3s Common (${2})
baseurl=https://${1}/k3s/${2}/common/${4}/noarch
enabled=1
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://${1}/public.key
EOF
case ${3} in
sle)
rpm_installer="zypper --gpg-auto-import-keys"
if [ "${TRANSACTIONAL_UPDATE=false}" != "true" ] && [ -x /usr/sbin/transactional-update ]; then
rpm_installer="transactional-update --no-selfupdate -d run ${rpm_installer}"
: "${INSTALL_K3S_SKIP_START:=true}"
fi
;;
*)
rpm_installer="yum"
;;
esac
if [ "${rpm_installer}" = "yum" ] && [ -x /usr/bin/dnf ]; then
rpm_installer=dnf
fi
# shellcheck disable=SC2086
$SUDO ${rpm_installer} install -y "k3s-selinux"
fi
return
}
# --- download and verify k3s ---
download_and_verify() {
if can_skip_download; then
info 'Skipping k3s download and verify'
verify_k3s_is_executable
return
fi
setup_verify_arch
verify_downloader curl || verify_downloader wget || fatal 'Can not find curl or wget for downloading files'
setup_tmp
get_release_version
download_hash
if installed_hash_matches; then
info 'Skipping binary downloaded, installed k3s matches hash'
return
fi
download_binary
verify_binary
setup_binary
}
# --- add additional utility links ---
create_symlinks() {
[ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
[ "${INSTALL_K3S_SYMLINK}" = skip ] && return
for cmd in kubectl crictl ctr; do
if [ ! -e ${BIN_DIR}/${cmd} ] || [ "${INSTALL_K3S_SYMLINK}" = force ]; then
which_cmd=$(command -v ${cmd} 2>/dev/null || true)
if [ -z "${which_cmd}" ] || [ "${INSTALL_K3S_SYMLINK}" = force ]; then
info "Creating ${BIN_DIR}/${cmd} symlink to k3s"
$SUDO ln -sf k3s ${BIN_DIR}/${cmd}
else
info "Skipping ${BIN_DIR}/${cmd} symlink to k3s, command exists in PATH at ${which_cmd}"
fi
else
info "Skipping ${BIN_DIR}/${cmd} symlink to k3s, already exists"
fi
done
}
# --- create killall script ---
create_killall() {
[ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
info "Creating killall script ${KILLALL_K3S_SH}"
$SUDO tee ${KILLALL_K3S_SH} >/dev/null << \EOF
#!/bin/sh
[ $(id -u) -eq 0 ] || exec sudo $0 $@
for bin in /var/lib/rancher/k3s/data/**/bin/; do
[ -d $bin ] && export PATH=$PATH:$bin:$bin/aux
done
set -x
for service in /etc/systemd/system/k3s*.service; do
[ -s $service ] && systemctl stop $(basename $service)
done
for service in /etc/init.d/k3s*; do
[ -x $service ] && $service stop
done
pschildren() {
ps -e -o ppid= -o pid= | \
sed -e 's/^\s*//g; s/\s\s*/\t/g;' | \
grep -w "^$1" | \
cut -f2
}
pstree() {
for pid in $@; do
echo $pid
for child in $(pschildren $pid); do
pstree $child
done
done
}
killtree() {
kill -9 $(
{ set +x; } 2>/dev/null;
pstree $@;
set -x;
) 2>/dev/null
}
getshims() {
ps -e -o pid= -o args= | sed -e 's/^ *//; s/\s\s*/\t/;' | grep -w 'k3s/data/[^/]*/bin/containerd-shim' | cut -f1
}
killtree $({ set +x; } 2>/dev/null; getshims; set -x)
do_unmount_and_remove() {
set +x
while read -r _ path _; do
case "$path" in $1*) echo "$path" ;; esac
done < /proc/self/mounts | sort -r | xargs -r -t -n 1 sh -c 'umount "$0" && rm -rf "$0"'
set -x
}
do_unmount_and_remove '/run/k3s'
do_unmount_and_remove '/var/lib/rancher/k3s'
do_unmount_and_remove '/var/lib/kubelet/pods'
do_unmount_and_remove '/var/lib/kubelet/plugins'
do_unmount_and_remove '/run/netns/cni-'
# Remove CNI namespaces
ip netns show 2>/dev/null | grep cni- | xargs -r -t -n 1 ip netns delete
# Delete network interface(s) that match 'master cni0'
ip link show 2>/dev/null | grep 'master cni0' | while read ignore iface ignore; do
iface=${iface%%@*}
[ -z "$iface" ] || ip link delete $iface
done
ip link delete cni0
ip link delete flannel.1
ip link delete flannel-v6.1
rm -rf /var/lib/cni/
iptables-save | grep -v KUBE- | grep -v CNI- | grep -v flannel | iptables-restore
ip6tables-save | grep -v KUBE- | grep -v CNI- | grep -v flannel | ip6tables-restore
EOF
$SUDO chmod 755 ${KILLALL_K3S_SH}
$SUDO chown root:root ${KILLALL_K3S_SH}
}
# --- create uninstall script ---
create_uninstall() {
[ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
info "Creating uninstall script ${UNINSTALL_K3S_SH}"
$SUDO tee ${UNINSTALL_K3S_SH} >/dev/null << EOF
#!/bin/sh
set -x
[ \$(id -u) -eq 0 ] || exec sudo \$0 \$@
${KILLALL_K3S_SH}
if command -v systemctl; then
systemctl disable ${SYSTEM_NAME}
systemctl reset-failed ${SYSTEM_NAME}
systemctl daemon-reload
fi
if command -v rc-update; then
rc-update delete ${SYSTEM_NAME} default
fi
rm -f ${FILE_K3S_SERVICE}
rm -f ${FILE_K3S_ENV}
remove_uninstall() {
rm -f ${UNINSTALL_K3S_SH}
}
trap remove_uninstall EXIT
if (ls ${SYSTEMD_DIR}/k3s*.service || ls /etc/init.d/k3s*) >/dev/null 2>&1; then
set +x; echo 'Additional k3s services installed, skipping uninstall of k3s'; set -x
exit
fi
for cmd in kubectl crictl ctr; do
if [ -L ${BIN_DIR}/\$cmd ]; then
rm -f ${BIN_DIR}/\$cmd
fi
done
rm -rf /etc/rancher/k3s
rm -rf /run/k3s
rm -rf /run/flannel
rm -rf /var/lib/rancher/k3s
rm -rf /var/lib/kubelet
rm -f ${BIN_DIR}/k3s
rm -f ${KILLALL_K3S_SH}
if type yum >/dev/null 2>&1; then
yum remove -y k3s-selinux
rm -f /etc/yum.repos.d/rancher-k3s-common*.repo
elif type zypper >/dev/null 2>&1; then
uninstall_cmd="zypper remove -y k3s-selinux"
if [ "\${TRANSACTIONAL_UPDATE=false}" != "true" ] && [ -x /usr/sbin/transactional-update ]; then
uninstall_cmd="transactional-update --no-selfupdate -d run \$uninstall_cmd"
fi
\$uninstall_cmd
rm -f /etc/zypp/repos.d/rancher-k3s-common*.repo
fi
EOF
$SUDO chmod 755 ${UNINSTALL_K3S_SH}
$SUDO chown root:root ${UNINSTALL_K3S_SH}
}
# --- disable current service if loaded --
systemd_disable() {
$SUDO systemctl disable ${SYSTEM_NAME} >/dev/null 2>&1 || true
$SUDO rm -f /etc/systemd/system/${SERVICE_K3S} || true
$SUDO rm -f /etc/systemd/system/${SERVICE_K3S}.env || true
}
# --- capture current env and create file containing k3s_ variables ---
create_env_file() {
info "env: Creating environment file ${FILE_K3S_ENV}"
$SUDO touch ${FILE_K3S_ENV}
$SUDO chmod 0600 ${FILE_K3S_ENV}
sh -c export | while read x v; do echo $v; done | grep -E '^(K3S|CONTAINERD)_' | $SUDO tee ${FILE_K3S_ENV} >/dev/null
sh -c export | while read x v; do echo $v; done | grep -Ei '^(NO|HTTP|HTTPS)_PROXY' | $SUDO tee -a ${FILE_K3S_ENV} >/dev/null
}
# --- write systemd service file ---
create_systemd_service_file() {
info "systemd: Creating service file ${FILE_K3S_SERVICE}"
$SUDO tee ${FILE_K3S_SERVICE} >/dev/null << EOF
[Unit]
Description=Lightweight Kubernetes
Documentation=https://k3s.io
Wants=network-online.target
After=network-online.target
[Install]
WantedBy=multi-user.target
[Service]
Type=${SYSTEMD_TYPE}
EnvironmentFile=-/etc/default/%N
EnvironmentFile=-/etc/sysconfig/%N
EnvironmentFile=-${FILE_K3S_ENV}
KillMode=process
Delegate=yes
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
TimeoutStartSec=0
Restart=always
RestartSec=5s
ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=${BIN_DIR}/k3s \\
${CMD_K3S_EXEC}
EOF
}
# --- write openrc service file ---
create_openrc_service_file() {
LOG_FILE=/var/log/${SYSTEM_NAME}.log
info "openrc: Creating service file ${FILE_K3S_SERVICE}"
$SUDO tee ${FILE_K3S_SERVICE} >/dev/null << EOF
#!/sbin/openrc-run
depend() {
after network-online
want cgroups
}
start_pre() {
rm -f /tmp/k3s.*
}
supervisor=supervise-daemon
name=${SYSTEM_NAME}
command="${BIN_DIR}/k3s"
command_args="$(escape_dq "${CMD_K3S_EXEC}")
>>${LOG_FILE} 2>&1"
output_log=${LOG_FILE}
error_log=${LOG_FILE}
pidfile="/var/run/${SYSTEM_NAME}.pid"
respawn_delay=5
respawn_max=0
set -o allexport
if [ -f /etc/environment ]; then source /etc/environment; fi
if [ -f ${FILE_K3S_ENV} ]; then source ${FILE_K3S_ENV}; fi
set +o allexport
EOF
$SUDO chmod 0755 ${FILE_K3S_SERVICE}
$SUDO tee /etc/logrotate.d/${SYSTEM_NAME} >/dev/null << EOF
${LOG_FILE} {
missingok
notifempty
copytruncate
}
EOF
}
# --- write systemd or openrc service file ---
create_service_file() {
[ "${HAS_SYSTEMD}" = true ] && create_systemd_service_file
[ "${HAS_OPENRC}" = true ] && create_openrc_service_file
return 0
}
# --- get hashes of the current k3s bin and service files
get_installed_hashes() {
$SUDO sha256sum ${BIN_DIR}/k3s ${FILE_K3S_SERVICE} ${FILE_K3S_ENV} 2>&1 || true
}
# --- enable and start systemd service ---
systemd_enable() {
info "systemd: Enabling ${SYSTEM_NAME} unit"
$SUDO systemctl enable ${FILE_K3S_SERVICE} >/dev/null
$SUDO systemctl daemon-reload >/dev/null
}
systemd_start() {
info "systemd: Starting ${SYSTEM_NAME}"
$SUDO systemctl restart ${SYSTEM_NAME}
}
# --- enable and start openrc service ---
openrc_enable() {
info "openrc: Enabling ${SYSTEM_NAME} service for default runlevel"
$SUDO rc-update add ${SYSTEM_NAME} default >/dev/null
}
openrc_start() {
info "openrc: Starting ${SYSTEM_NAME}"
$SUDO ${FILE_K3S_SERVICE} restart
}
# --- startup systemd or openrc service ---
service_enable_and_start() {
if [ -f "/proc/cgroups" ] && [ "$(grep memory /proc/cgroups | while read -r n n n enabled; do echo $enabled; done)" -eq 0 ];
then
info 'Failed to find memory cgroup, you may need to add "cgroup_memory=1 cgroup_enable=memory" to your linux cmdline (/boot/cmdline.txt on a Raspberry Pi)'
fi
[ "${INSTALL_K3S_SKIP_ENABLE}" = true ] && return
[ "${HAS_SYSTEMD}" = true ] && systemd_enable
[ "${HAS_OPENRC}" = true ] && openrc_enable
[ "${INSTALL_K3S_SKIP_START}" = true ] && return
POST_INSTALL_HASHES=$(get_installed_hashes)
if [ "${PRE_INSTALL_HASHES}" = "${POST_INSTALL_HASHES}" ] && [ "${INSTALL_K3S_FORCE_RESTART}" != true ]; then
info 'No change detected so skipping service start'
return
fi
[ "${HAS_SYSTEMD}" = true ] && systemd_start
[ "${HAS_OPENRC}" = true ] && openrc_start
return 0
}
# --- re-evaluate args to include env command ---
eval set -- $(escape "${INSTALL_K3S_EXEC}") $(quote "$@")
# --- run the install process --
{
verify_system
setup_env "$@"
download_and_verify
setup_selinux
create_symlinks
create_killall
create_uninstall
systemd_disable
create_env_file
create_service_file
service_enable_and_start
}

1
ansible/roles/k3s-install/files/k3s.sh Normal file
View File

@@ -0,0 +1 @@
export PATH=/usr/local/bin:$PATH

25
ansible/roles/k3s-install/tasks/main.yml Normal file
View File

@@ -0,0 +1,25 @@
- name: "prepare install k3s"
shell: sed -ie "s/SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
#- name: "execute k3s install"
# shell: curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn INSTALL_K3S_SKIP_ENABLE=true sh -
- name: "copy k3s to destination"
copy:
src: "{{ role_path }}/files/k3s"
dest: /usr/local/bin/
mode: 0755
- name: "execute k3s install"
shell: curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_SKIP_ENABLE=true sh -
- name: "enable k3s"
systemd:
name: k3s
enabled: yes
- name: "copy k3s.sh to destination"
copy:
src: "{{ role_path }}/files/k3s.sh"
dest: /etc/profile.d/
mode: 0755

12
ansible/roles/kni/tasks/main.yml
View File

@@ -1,4 +1,12 @@
---
- name: "download rpm packages: kni"
yum:
name:
- "{{ kni_rpm_version.kni }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Install kni that is sapp plugin with prefix option"
shell: rpm -i /tmp/rpm_download/{{ kni_rpm_version.kni }}* --prefix {{ prefix_path.sapp }}
@@ -8,11 +16,11 @@
src: "{{ role_path }}/templates/kni.conf.j2"
dest: /opt/tsg/sapp/etc/kni/kni.conf
tags: template
when: runtime_env != 'TSG-X-P0804'
when: runtime_env != 'TSG-X-P0804' and runtime_env != 'TSG-X-P0906'
- name: Template the kni.conf
template:
src: "{{ role_path }}/templates/kni.conf.j2"
dest: /opt/tsg/tsg-os-provision/templates/kni.conf.j2
tags: template
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'

4
ansible/roles/kni/templates/kni.conf.j2
View File

@@ -8,7 +8,11 @@ tfe_node_count = 1
tfe_node_count = {{ dp_steering_proxy.node_count }}
{% endif %}
manage_eth = {{ control_and_policy.nic_name }}
{% if dp_steering_proxy.tun_mode is defined %}
deploy_mode = tun
{% else %}
deploy_mode = normal
{% endif %}
tun_name = tun_kni
src_mac_addr = 00:0e:c6:d6:72:c1
dst_mac_addr = fe:65:b7:03:50:bd

10
ansible/roles/mrzcpd/tasks/main.yml
View File

@@ -1,4 +1,12 @@
---
- name: "download rpm packages: mrzcpd"
yum:
name: "{{ mrzcpd_rpm_version.mrzcpd }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Install mrzcpd rpm package"
shell: rpm -i /tmp/rpm_download/{{ mrzcpd_rpm_version.mrzcpd }}* --prefix {{ prefix_path.mrzcpd }}
@@ -89,7 +97,7 @@
src: "{{ role_path }}/templates/mrglobal.conf.j2.j2.TSGXNXR620G40R01P0804"
dest: /opt/tsg/tsg-os-provision/templates/mrglobal.conf.j2
when:
- runtime_env == 'TSG-X-P0804'
- runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "replace action: replace service WantedBy from multi-user.target to workload.target"
replace:

9
ansible/roles/mrzcpd/templates/mrglobal.conf.j2.j2.TSGXNXR620G40R01P0804
View File

@@ -72,4 +72,11 @@ create_mode=3
sz_direct_pktmbuf=4194304
sz_indirect_pktmbuf=8192
sz_cache=256
sz_data=4096
sz_data=4096
{% if runtime_env == 'TSG-X-P0906' %}
[ctrlmsg]
listen_addr={% raw %}{{ ansible_cni0.ipv4.address }}
{% endraw %}
listen_port=46789
{% endif %}

14
ansible/roles/sapp/tasks/main.yml
View File

@@ -1,4 +1,12 @@
---
- name: "download rpm packages: sapp and tcpdump_mesa"
yum:
name: "{{ item.value }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ sapp_rpm_version }}"
- name: "Create directory /opt/tsg/framework and /opt/tsg/sapp if they not exist"
file:
@@ -56,14 +64,14 @@
src: "{{ role_path }}/templates/send_raw_pkt.conf.j2"
dest: /opt/tsg/sapp/etc/send_raw_pkt.conf
tags: template
when: runtime_env != 'TSG-X-P1403' and runtime_env != 'TSG-X-P0804'
when: runtime_env != 'TSG-X-P1403' and runtime_env != 'TSG-X-P0804' and runtime_env != 'TSG-X-P0906'
- name: Template the send_raw_pkt.conf
template:
src: "{{ role_path }}/templates/send_raw_pkt.conf.j2"
dest: /opt/tsg/tsg-os-provision/templates/send_raw_pkt.conf.j2
tags: template
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: Template the conflist.inf - tsg_server
template:
@@ -111,7 +119,7 @@
dest: /opt/tsg/sapp/etc/vlan_flipping_map.conf
tags: template
when:
- runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804'
- runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: Template the sapp_log.conf
template:

15
ansible/roles/system-init/tasks/main.yml
View File

@@ -61,7 +61,7 @@
- name: "update initramfs"
shell: dracut --force -v /boot/initramfs-5.4.159-1.el7.elrepo.x86_64.img 5.4.159-1.el7.elrepo.x86_64
when: runtime_env != 'TSG-X-P1403' and runtime_env != 'TSG-X-P0804'
when: runtime_env != 'TSG-X-P1403' and runtime_env != 'TSG-X-P0804' and runtime_env != 'TSG-X-P0906'
- name: "Export MLX5_GLUE_PATH"
lineinfile:
@@ -70,7 +70,7 @@
- name: "Generate ansiblg.cfg after ansible upgrade in rockylinux8"
shell: ansible-config init --disabled > /etc/ansible/ansible.cfg
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: 'change ansible hash_behaviour value replace to merge'
lineinfile:
@@ -78,3 +78,14 @@
backrefs: yes
regexp: "^(.*hash_behaviour.*=.*replace.*)$"
line: '\1\nhash_behaviour = merge'
- name: 'install psutil'
shell: pip3.8 install -i https://pypi.tuna.tsinghua.edu.cn/simple psutil
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "add sudo secure_path"
lineinfile:
path: /etc/sudoers
backrefs: yes
regexp: "^(.*Defaults secure_path =.*)$"
line: '\1:/opt/tsg/tsg-os-provision'

21
ansible/roles/tfe/tasks/main.yml
View File

@@ -1,4 +1,13 @@
---
- name: "download rpm packages: tfe"
yum:
name: "{{ item.value }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ tfe_rpm_version }}"
- name: "copy tfe program to destination server"
copy:
src: "{{ role_path }}/files/"
@@ -110,7 +119,17 @@
src: "{{ role_path }}/files/service_override_Requires.conf"
dest: "/usr/lib/systemd/system/tfe-env.service.d/"
mode: 0644
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "template tfe-env shell to dest"
template:
src: "{{ role_path }}/templates/{{ item.src }}"
dest: "/opt/tsg/tfe/{{ item.dest }}"
mode: 0755
when: runtime_env == 'TSG-X-P0906'
with_items:
- {src: "tfe-env-start.sh.j2", dest: "tfe-env-start.sh" }
- {src: "tfe-env-stop.sh.j2", dest: "tfe-env-stop.sh" }
##################### tfe #####################
- name: "systemctl daemon-reload"

22
ansible/roles/tfe/templates/tfe-env-start.sh.j2 Normal file
View File

@@ -0,0 +1,22 @@
#!/bin/bash -ex
/usr/sbin/ip link set tun_kni address fe:65:b7:03:50:bd
/usr/sbin/ip link set tun_kni up
/usr/sbin/ip addr flush dev tun_kni
/usr/sbin/ip addr add 172.16.241.2/30 dev tun_kni
/usr/sbin/ip neigh flush dev tun_kni
/usr/sbin/ip neigh add 172.16.241.1 lladdr 00:0e:c6:d6:72:c1 dev tun_kni nud permanent
/usr/sbin/ip6tables -A INPUT -i tun_kni -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/iptables -A INPUT -i tun_kni -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/ip rule add iif tun_kni tab 100
/usr/sbin/ip route add local default dev lo table 100
/usr/sbin/ip rule add fwmark 0x65 lookup 101
/usr/sbin/ip route add default dev tun_kni via 172.16.241.1 table 101
/usr/sbin/ip addr add fd00::02/64 dev tun_kni
/usr/sbin/ip -6 route add default via fd00::01
/usr/sbin/ip -6 rule add iif tun_kni tab 102
/usr/sbin/ip -6 route add local default dev lo table 102
/usr/sbin/ip -6 neigh add fd00::01 lladdr 00:0e:c6:d6:72:c1 dev tun_kni nud permanent

12
ansible/roles/tfe/templates/tfe-env-stop.sh.j2 Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash -ex
/usr/sbin/ip6tables -D INPUT -i tun_kni -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/iptables -D INPUT -i tun_kni -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/ip rule del iif tun_kni tab 100
/usr/sbin/ip route del local default dev lo table 100
/usr/sbin/ip rule del fwmark 0x65 lookup 101
/usr/sbin/ip route del default dev tun_kni via 172.16.241.1 table 101
/usr/sbin/ip -6 rule del iif tun_kni tab 102
/usr/sbin/ip -6 route del default via fd00::01
/usr/sbin/ip -6 route del local default dev lo table 102
/usr/sbin/ip addr del fd00::02/64 dev tun_kni
/usr/sbin/ip link set tun_kni down

9
ansible/roles/tsg-diagnose/tasks/main.yml
View File

@@ -1,6 +1,15 @@
#- name: "Install tsg-diagnose"
# shell: rpm -i /tmp/rpm_download/{{ tsg_diagnose_rpm_version.tsg_diagnose }}*
#
- name: "download rpm packages: tsg-diagnose"
yum:
name:
- "{{ tsg_diagnose_rpm_version.tsg_diagnose }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Get tsg_diagnose rpm path"
find:
path: /tmp/rpm_download/

14
ansible/roles/tsg-os-provision-condition/tasks/main.yml
View File

@@ -77,3 +77,17 @@
- tfe-env
- tfe
when: runtime_env == 'TSG-X-P0804'
- name: "add condition into service depend provision result TSG-X-P0906"
copy:
src: "{{ role_path }}/files/service_add_ConditionPathExists.conf"
dest: "/usr/lib/systemd/system/{{ item }}.service.d/"
mode: 0644
with_items:
- mrapm_device
- mrapm_stream
- mrenv
- mrzcpd
- telegraf_statistic
- tsg-traffic-engine
when: runtime_env == 'TSG-X-P0906'

13
ansible/roles/tsg-os-provision/files/service/tsg-os-provision.service.TSGXP0906 Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=Tsg os provision
DefaultDependencies=no
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target systemd-update-done.service
ConditionNeedsUpdate=|/etc
ConditionFileNotEmpty=|/usr
[Service]
ExecStart=/bin/sh -c "/opt/tsg/tsg-os-provision/scripts/provision.sh 0"
Type=oneshot
RemainAfterExit=yes

241
ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P0906 Normal file
View File

@@ -0,0 +1,241 @@
---
- hosts: provision
tasks:
- name: Load default config file variable
include_vars:
file: /opt/tsg/tsg-os-provision/provision.default.yml
- name: Load general config file variable
include_vars:
file: /data/tsg-os-provision/provision.yml
- name: Load provision.yml.d config file variable
include_vars:
dir: /data/tsg-os-provision/provision.yml.d/
ignore_unknown_extensions: yes
extensions:
- 'yml'
- 'yaml'
######setting cpu affinity start######
- name: obtain cpu layout info
set_fact:
cpu_layout_obtained: "{{ item }}"
loop: "{{ cpu_layouts }}"
when:
- ansible_facts.processor[2] is search(item.match.model_name)
- ansible_facts.processor_count == item.match.sockets
- name: set cpu affinity variable
set_fact:
workload_firewall_cpu_affinity: "{{ cpu_layout_obtained.sapp_affinity | join(',') }}"
workload_zcpd_cpu_affinity: "{{ cpu_layout_obtained.mrzcpd_affinity | join(',')}}"
workload_firewall_worker_threads: "{{ cpu_layout_obtained.sapp_affinity | length }}"
workload_proxy_cpu_affinity: "{{ cpu_layout_obtained.tfe_affinity | join(',') }}"
workload_proxy_worker_thread: "{{ cpu_layout_obtained.tfe_affinity | length | int - 1 }}"
- name: "tsg-os-provision: rewrite sapp_cpu_affinity and sapp_worker_threads"
set_fact:
workload_firewall_cpu_affinity: "{{ (cpu_layout_obtained.sapp_affinity + cpu_layout_obtained.tfe_affinity) | join(',') }}"
workload_firewall_worker_threads: "{{ (cpu_layout_obtained.sapp_affinity + cpu_layout_obtained.tfe_affinity) | length }}"
when: proxy.enable == 0
######setting cpu affinity end######
######setting nic cpu affinity mask start######
- name: output cpu_layouts config to config .cpu_layouts.json
copy:
content: "{{ cpu_layouts| to_json }}"
dest: /opt/tsg/tsg-os-provision/.cpu_layouts.json
- name: "tsg-os-provision: obtain rps_mask"
shell: /opt/tsg/tsg-os-provision/scripts/obtain_rps_mask.py
register: result_exec_obtain_rps_mask
- name: "tsg-os-provision: check result_exec_obtain_rps_mask"
assert:
that:
- result_exec_obtain_rps_mask.rc == 0
- result_exec_obtain_rps_mask.failed == False
fail_msg: "error:{{ result_exec_obtain_rps_mask.stderr }},stdout:{{ result_exec_obtain_rps_mask.stdout_lines }}"
success_msg: "Successded: obtain rpm mask"
- name: "set rps_mask into tfe-env-config"
set_fact:
tfe_env_rps_info: "{{ result_exec_obtain_rps_mask.stdout | from_json }}"
- name: "output tfe_env_rps_info"
debug:
msg: "{{ tfe_env_rps_info }}"
######setting nic cpu affinity mask end######
######get isolate cpu core start######
- name: redirect proxy config to config .proxy.json
copy:
content: "{{ proxy | to_json }}"
dest: /opt/tsg/tsg-os-provision/.proxy.json
- name: "tsg-os-provision: execute obtain_isolate_cpu_range.py"
shell: /opt/tsg/tsg-os-provision/scripts/obtain_isolate_cpu_range.py
register: result_exec_obtain_isolate_cpu_range
- name: "tsg-os-provision: check result_exec_obtain_isolate_cpu_range"
assert:
that:
- result_exec_obtain_isolate_cpu_range.rc == 0
- result_exec_obtain_isolate_cpu_range.failed == False
fail_msg: "error:{{ result_exec_obtain_isolate_cpu_range.stderr }},stdout:{{ result_exec_obtain_isolate_cpu_range.stdout_lines }}"
success_msg: "Successded: obtain isolate cpu range"
- name: "set fact grub_cpu_isolate"
set_fact:
grub_cpu_isolate: "{{ result_exec_obtain_isolate_cpu_range.stdout }}"
######get isolate cpu core end######
- name: get /proc/cmdline
shell: cat /proc/cmdline
register: result_exec_cat_cmdline
- name: need to reboot
fail:
msg: "Detected that the configuration of cpu isolate has changed, please run command \"provision-config-apply --reboot\" to reboot the machine that make the configuration take effect!"
when:
- result_exec_cat_cmdline is not search(grub_cpu_isolate)
- enable_config_apply != '2'
- name: "set keep_alive_ip"
set_fact:
gdev_conf_keep_alive_ip: "{{ etherfabric_settings.keepalive.ip }}"
- name: "set cm_policy_server_ip and cm_policy_server_port"
set_fact:
cm_policy_server_ip: "{{cm.policy_server.address}}"
cm_policy_server_port: "{{ cm.policy_server.port }}"
- name: "tsg-os-provision: execute obtain policy_and_log nic ip address"
shell: ip addr show {{ network_setting.nic_policy_log.name }} | grep "inet " | awk '{ print $2 }' | awk -F "/" '{ print $1 }'
register: result_exec_obtain_policy_and_log_nic_ip
- name: "tsg-os-provision: check result_exec_obtain_policy_and_log_nic_ip"
assert:
that:
- result_exec_obtain_policy_and_log_nic_ip.rc == 0
- result_exec_obtain_policy_and_log_nic_ip.failed == False
fail_msg: "error:{{ result_exec_obtain_policy_and_log_nic_ip.stderr }},stdout:{{ result_exec_obtain_policy_and_log_nic_ip.stdout_lines }}"
success_msg: "Successded: obtain policy_and_log nic ip address"
- name: "set fact policy_and_log_nic_ip"
set_fact:
policy_and_log_nic_ip: "{{ result_exec_obtain_policy_and_log_nic_ip.stdout }}"
- name: redirect proxy config to config policy_and_log_nic_ip
copy:
content: "policy_and_log_nic_ip: {{ policy_and_log_nic_ip }}"
dest: /opt/tsg/tsg-os-provision/.policy_and_log_nic_ip.yaml
- name: "replace action: grub config isolate cpu"
replace:
path: "{{ item }}"
regexp: 'isolcpus=\d+-+\d+'
replace: 'isolcpus={{grub_cpu_isolate}}'
with_items:
- /boot/grub/grub.cfg
- /etc/grub.d/40_onie_grub
- name: "tsg-os-provision: template mrglobal.conf file"
template:
src: "../templates/mrglobal.conf.j2"
dest: /opt/tsg/mrzcpd/etc/mrglobal.conf
tags: mrzcpd
- name: "tsg-os-provision: template tsg_workload_resource.yml file"
template:
src: "../templates/tsg_workload_resource.yml.j2"
dest: /opt/tsg/vsys1/workload_resource/tsg_workload_resource.yml
tags: vsys1
- name: "mkdir /opt/tsg/etc/"
file:
path: /opt/tsg/etc
state: directory
- name: "tsg-os-provision: obtain sn and write sn to tsg_sn.json"
shell: /opt/tsg/tsg-os-provision/scripts/obtain_sn.sh
register: result_exec_obtain_sn_and_write_sn_in_file
- name: "tsg-os-provision: check result_exec_obtain_sn_and_write_sn_in_file"
assert:
that:
- result_exec_obtain_sn_and_write_sn_in_file.rc == 0
- result_exec_obtain_sn_and_write_sn_in_file.failed == False
fail_msg: "error:{{ result_exec_obtain_sn_and_write_sn_in_file.stderr }},stdout:{{ result_exec_obtain_sn_and_write_sn_in_file.stdout_lines }}"
success_msg: "Successded: obtain the sn and write sn into tsg_sn.json"
- name: "tsg-os-provision: template the tsg_device_tag"
template:
src: "../templates/tsg_device_tag.json.j2"
dest: /opt/tsg/etc/tsg_device_tag.json
tags: tsg_device_tag
- name: 'tsg-os-provision: execute command - systemctl daemon-reload'
systemd:
daemon_reload: yes
- name: "tsg-os-provision: coredump setup override - mkdir"
file:
path: /usr/lib/systemd/coredump.conf.d/
state: directory
- name: "tsg-os-provision: coredump setup override - override"
template:
src: "../templates/coredump_setup_override.conf.j2"
dest: /usr/lib/systemd/coredump.conf.d/coredump_setup_override.conf
- name: "tsg-os-provision: snapshot the stage2 config files"
copy:
src: /data/tsg-os-provision/provision.yml
dest: /data/tsg-os-provision/provision.yml.snapshot
# - name: load tsg images
# shell: /opt/tsg/vsys1/scripts/tsg-traffic-image-load.sh
- name: add porvision successed sign
file:
path: /data/tsg-os-provision/.provision_succeeded
state: touch
- name: "tsg-os-provision: restart mrenv"
systemd:
name: mrenv
state: restarted
when: enable_config_apply == '1'
- name: "tsg-os-provision: restart mrzcpd"
systemd:
name: mrzcpd
state: restarted
when: enable_config_apply == '1'
- name: "tsg-os-provision: restart mrapm_device"
systemd:
name: mrapm_device
state: restarted
when: enable_config_apply == '1'
- name: "tsg-os-provision: restart mrapm_stream"
systemd:
name: mrapm_stream
state: restarted
when: enable_config_apply == '1'
- name: exec image load
shell: /opt/tsg/vsys1/scripts/tsg-traffic-image-load.sh
when: enable_config_apply == '1'
- name: "tsg-os-provision: restart tsg-traffic-engine"
systemd:
name: tsg-traffic-engine
state: restarted
when: enable_config_apply == '1'

218
ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P0906-init Normal file
View File

@@ -0,0 +1,218 @@
---
- hosts: provision
tasks:
- name: Load default config file variable
include_vars:
file: /opt/tsg/tsg-os-provision/provision.default.yml
- name: Load general config file variable
include_vars:
file: /data/tsg-os-provision/provision.yml
- name: Load specified file variable
include_vars:
file: /data/tsg-os-provision/.policy_and_log_nic_ip.yaml
######setting cpu affinity start######
- name: obtain cpu layout info
set_fact:
cpu_layout_obtained: "{{ item }}"
loop: "{{ cpu_layouts }}"
when:
- ansible_facts.processor[2] is search(item.match.model_name)
- ansible_facts.processor_count == item.match.sockets
- name: set cpu affinity variable
set_fact:
workload_firewall_cpu_affinity: "{{ cpu_layout_obtained.sapp_affinity | join(',') }}"
workload_zcpd_cpu_affinity: "{{ cpu_layout_obtained.mrzcpd_affinity | join(',')}}"
workload_firewall_worker_threads: "{{ cpu_layout_obtained.sapp_affinity | length }}"
workload_proxy_cpu_affinity: "{{ cpu_layout_obtained.tfe_affinity | join(',') }}"
workload_proxy_worker_thread: "{{ cpu_layout_obtained.tfe_affinity | length | int - 1 }}"
- name: "tsg-os-provision: rewrite sapp_cpu_affinity and sapp_worker_threads"
set_fact:
workload_firewall_cpu_affinity: "{{ (cpu_layout_obtained.sapp_affinity + cpu_layout_obtained.tfe_affinity) | join(',') }}"
workload_firewall_worker_threads: "{{ (cpu_layout_obtained.sapp_affinity + cpu_layout_obtained.tfe_affinity) | length }}"
when: proxy.enable == 0
######setting cpu affinity end######
######setting nic cpu affinity mask start######
- name: output cpu_layouts config to config .cpu_layouts.json
copy:
content: "{{ cpu_layouts| to_json }}"
dest: /opt/tsg/tsg-os-provision/.cpu_layouts.json
- name: "tsg-os-provision: obtain rps_mask"
shell: /opt/tsg/tsg-os-provision/scripts/obtain_rps_mask.py
register: result_exec_obtain_rps_mask
- name: "tsg-os-provision: check result_exec_obtain_rps_mask"
assert:
that:
- result_exec_obtain_rps_mask.rc == 0
- result_exec_obtain_rps_mask.failed == False
fail_msg: "error:{{ result_exec_obtain_rps_mask.stderr }},stdout:{{ result_exec_obtain_rps_mask.stdout_lines }}"
success_msg: "Successded: obtain rpm mask"
- name: "set rps_mask into tfe-env-config"
set_fact:
tfe_env_rps_info: "{{ result_exec_obtain_rps_mask.stdout | from_json }}"
- name: "output tfe_env_rps_info"
debug:
msg: "{{ tfe_env_rps_info }}"
######setting nic cpu affinity mask end######
######get isolate cpu core start######
- name: redirect proxy config to config .proxy.json
copy:
content: "{{ proxy | to_json }}"
dest: /opt/tsg/tsg-os-provision/.proxy.json
- name: "tsg-os-provision: execute obtain_isolate_cpu_range.py"
shell: /opt/tsg/tsg-os-provision/scripts/obtain_isolate_cpu_range.py
register: result_exec_obtain_isolate_cpu_range
- name: "tsg-os-provision: check result_exec_obtain_isolate_cpu_range"
assert:
that:
- result_exec_obtain_isolate_cpu_range.rc == 0
- result_exec_obtain_isolate_cpu_range.failed == False
fail_msg: "error:{{ result_exec_obtain_isolate_cpu_range.stderr }},stdout:{{ result_exec_obtain_isolate_cpu_range.stdout_lines }}"
success_msg: "Successded: obtain isolate cpu range"
- name: "set fact grub_cpu_isolate"
set_fact:
grub_cpu_isolate: "{{ result_exec_obtain_isolate_cpu_range.stdout }}"
- name: "set fact policy_and_log nic name"
set_fact:
network_setting:
nic_policy_log:
name: "ctrl_mock"
######get isolate cpu core end######
- name: "set keep_alive_ip"
set_fact:
gdev_conf_keep_alive_ip: "{{ etherfabric_settings.keepalive.ip }}"
- name: "set cm_policy_server_ip and cm_policy_server_port"
set_fact:
cm_policy_server_ip: "{{cm.policy_server.address}}"
cm_policy_server_port: "{{ cm.policy_server.port }}"
- name: "mkdir /opt/tsg/exporter/"
file:
path: "{{ item }}"
state: directory
with_items:
- /target_config/opt/tsg/sapp/plug
- /target_config/opt/tsg/sapp/etc
- /target_config/opt/tsg/sapp/tsgconf
- /target_config/opt/tsg/sapp/plug/business/tsg_conn_sketch
- /target_config/opt/tsg/sapp/etc/kni
- /target_config/opt/tsg/sapp/etc/wannat
- /target_config/opt/tsg/tfe/conf/tfe
- /target_config/opt/tsg/tfe/conf/pangu
- /target_config/opt/tsg/certstore/conf
- /target_config/etc/telegraf
- /target_config/opt/tsg/etc
- /target_config/etc/default
- name: "get sn"
shell: /opt/tsg/tsg-os-provision/scripts/obtain_sn.sh
- name: "tsg-os-provision: Template the conflist.inf"
template:
src: ../templates/conflist.inf.j2
dest: /target_config/opt/tsg/sapp/plug/conflist.inf
tags: sapp
- name: "tsg-os-provision: template gdev.conf file"
template:
src: "../templates/gdev.conf.j2"
dest: /target_config/opt/tsg/sapp/etc/gdev.conf
tags: sapp
- name: "tsg-os-provision: Template the tsgconf/main.conf"
template:
src: "../templates/main.conf.j2"
dest: /target_config/opt/tsg/sapp/tsgconf/main.conf
tags: firewall
- name: "tsg-os-provision: Template the tsgconf/maat.conf"
template:
src: "../templates/maat.conf.j2"
dest: /target_config/opt/tsg/sapp/tsgconf/maat.conf
tags: firewall
- name: "tsg-os-provision: Template the tsg_conn_sketch.inf"
template:
src: "../templates/tsg_conn_sketch.inf.j2"
dest: /target_config/opt/tsg/sapp/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
tags: firewall
- name: "tsg-os-provision: Template the sapp.toml"
template:
src: "../templates/sapp.toml.j2"
dest: /target_config/opt/tsg/sapp/etc/sapp.toml
tags: sapp
- name: "tsg-os-provision: Template the send_raw_pkt.conf"
template:
src: "../templates/send_raw_pkt.conf.j2"
dest: /target_config/opt/tsg/sapp/etc/send_raw_pkt.conf
tags: sapp
- name: "tsg-os-provision: template the kni.conf"
template:
src: "../templates/kni.conf.j2"
dest: /target_config/opt/tsg/sapp/etc/kni/kni.conf
tags: sapp
- name: "tsg-os-provision: template wannat wangw.conf file"
template:
src: "../templates/wangw.conf.j2"
dest: /target_config/opt/tsg/sapp/etc/wannat/wangw.conf
tags: wangw
- name: "tsg-os-provision: template the tfe.conf"
template:
src: "../templates/tfe.conf.j2"
dest: /target_config/opt/tsg/tfe/conf/tfe/tfe.conf
tags: tfe
when: proxy.enable == 1
- name: "tsg-os-provision: template the pangu_pxy.conf"
template:
src: "../templates/pangu_pxy.conf.j2"
dest: /target_config/opt/tsg/tfe/conf/pangu/pangu_pxy.conf
tags: tfe
when: proxy.enable == 1
- name: "tsg-os-provision: template certstore configure file"
template:
src: "../templates/cert_store.ini.j2"
dest: /target_config/opt/tsg/certstore/conf/cert_store.ini
tags: certstore
- name: "tsg-os-provision: Templates telegraf.conf"
template:
src: "../templates/telegraf_statistic.conf.j2"
dest: /target_config/etc/telegraf/telegraf_statistic.conf
tags: telegraf_statistic
- name: "create tap device ctrl_mock"
shell: ip tuntap add mode tap ctrl_mock; ifconfig ctrl_mock up; ifconfig ctrl_mock {{ policy_and_log_nic_ip }}/32
- name: "create tap device tun_kni"
shell: ip tuntap add mode tap tun_kni
when: proxy.enable == 1
- name: "execute tfe-env shell"
shell: /opt/tsg/tfe/tfe-env-start.sh
when: proxy.enable == 1

42
ansible/roles/tsg-os-provision/tasks/main.yml
View File

@@ -82,7 +82,21 @@
src: "{{ role_path }}/files/tasks/provision.yml.TSGXNXR620G40R01P0804"
dest: /opt/tsg/tsg-os-provision/tasks/provision.yml
mode: 0644
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "tsg-os-provision: copy tasks file that excutes provision to dest - tsg-x p0906"
copy:
src: "{{ role_path }}/files/tasks/provision.yml.TSGXNXR620G40R01P0906"
dest: /opt/tsg/tsg-os-provision/tasks/provision.yml
mode: 0644
when: runtime_env == 'TSG-X-P0906' and PROFILE_ID == 'TSG-X-NXR620G40-R01-P0906'
- name: "tsg-os-provision: copy tasks file that excutes provision to dest - tsg-x p0906 init"
copy:
src: "{{ role_path }}/files/tasks/provision.yml.TSGXNXR620G40R01P0906-init"
dest: /opt/tsg/tsg-os-provision/tasks/provision.yml
mode: 0644
when: runtime_env == 'TSG-X-P0906' and PROFILE_ID == 'TSG-X-NXR620G40-R01-P0906-init'
- name: "tsg-os-provision: copy provision.yml.sample file to dest - tsg9140"
copy:
@@ -131,7 +145,7 @@
src: "{{ role_path }}/files/config_sample/provision.default.yml.TSGXNXR620G40R01P0804"
dest: /opt/tsg/tsg-os-provision/provision.default.yml
mode: 0644
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "tsg-os-provision: copy provision.yml.sample to dest - tsg7400 mcn0"
copy:
@@ -166,7 +180,7 @@
src: "{{ role_path }}/files/config_sample/provision.yml.sample.TSGXNXR620G40R01P0804"
dest: /opt/tsg/tsg-os-provision/provision.yml.sample
mode: 0644
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "tsg-os-provision: copy provision.sh file to dest"
copy:
@@ -236,18 +250,27 @@
- { "src": tsg-os-provision.service.TSGXP1403, "dest": tsg-os-provision.service }
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804'
- name: "install tsg-os-provision.service -- TSG-X-P0906"
copy:
src: "{{ role_path }}/files/service/{{ item.src }}"
dest: /usr/lib/systemd/system/{{ item.dest }}
mode: 0644
with_items:
- { "src": tsg-os-provision.service.TSGXP0906, "dest": tsg-os-provision.service }
when: runtime_env == 'TSG-X-P0906'
- name: "replace action: add service into sysinit.target --TSG-X-P1403"
shell: ln -vfs --relative /usr/lib/systemd/system/{{item}} /usr/lib/systemd/system/sysinit.target.wants/{{item}}
with_items:
- tsg-os-provision.service
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "tsg-os-provision: copy tsg-start.sh to dest - TSG-X-P1403"
copy:
src: "{{ role_path }}/files/script/provision-config-apply"
dest: /opt/tsg/tsg-os-provision/
mode: 0755
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "tsg-os-provision: obtain_rps_mask and obtain_cpu_core_range to dest - TSG-X-P0804"
copy:
@@ -257,7 +280,7 @@
with_items:
- obtain_rps_mask.py
- obtain_isolate_cpu_range.py
when: runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
######TSG-X-P1403 end######
@@ -271,10 +294,3 @@
src: "{{ role_path }}/files/script/tsg-os-provision.sh"
dest: /etc/profile.d/
mode: 0755
- name: "add sudo secure_path"
lineinfile:
path: /etc/sudoers
backrefs: yes
regexp: "^(.*Defaults secure_path =.*)$"
line: '\1:/opt/tsg/tsg-os-provision'

8
ansible/roles/tsg_app/tasks/main.yml
View File

@@ -1,3 +1,11 @@
---
- name: "download rpm packages: app_skecth_local"
yum:
name: "{{ tsg_app_rpm_version.app_sketch_local }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Install app_sketch_local that is sapp plugins"
shell: rpm -i /tmp/rpm_download/{{ tsg_app_rpm_version.app_sketch_local }}* --prefix {{ prefix_path.sapp }}

9
ansible/roles/tsg_master/tasks/main.yml
View File

@@ -1,2 +1,11 @@
- name: "download rpm packages: tsg_master"
yum:
name:
- "{{ tsg_master_rpm_version.tsg_master }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Install tsg_master that is sapp plugins"
shell: rpm -i /tmp/rpm_download/{{ tsg_master_rpm_version.tsg_master }}* --prefix {{ prefix_path.sapp }}

10
ansible/roles/tsg_sn/files/obtain_sn.sh.TSGXP0906-init Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash -x
sn=`ipmitool fru list |grep 'Product Serial' | awk '{ print $4}'`
if [ -z "$sn" ];then
echo "{\"sn\": \"unknown\"}" > /target_config/opt/tsg/etc/tsg_sn.json
echo "device_id=\"unknown\"" > /target_config/etc/default/telegraf
exit 0
fi
echo "{\"sn\": \"$sn\"}" > /target_config/opt/tsg/etc/tsg_sn.json
echo "device_id=\"$sn\"" > /target_config/etc/default/telegraf

10
ansible/roles/tsg_sn/tasks/main.yml
View File

@@ -28,4 +28,12 @@
src: "{{ role_path }}/files/obtain_sn.sh.TSGXP1403"
dest: /opt/tsg/tsg-os-provision/scripts/obtain_sn.sh
mode: 0755
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804'
when: runtime_env == 'TSG-X-P1403' or runtime_env == 'TSG-X-P0804' or runtime_env == 'TSG-X-P0906'
- name: "deploy obtain sn - tsg-x-p0906"
copy:
src: "{{ role_path }}/files/obtain_sn.sh.TSGXP0906-init"
dest: /opt/tsg/tsg-os-provision/scripts/obtain_sn.sh
mode: 0755
when: runtime_env == 'TSG-X-P0906' and PROFILE_ID == 'TSG-X-NXR620G40-R01-P0906-init'

14
ansible/roles/vsys/files/tsg-images-load.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=Tsg container images loading
DefaultDependencies=no
Conflicts=shutdown.target
Requires=k3s.service
After=local-fs.target k3s.service
Before=sysinit.target shutdown.target systemd-update-done.service
ConditionNeedsUpdate=|/etc
ConditionFileNotEmpty=|/usr
[Service]
ExecStart=/bin/sh -c "/opt/tsg/vsys1/scripts/tsg-traffic-image-load.sh"
Type=oneshot
RemainAfterExit=yes

13
ansible/roles/vsys/files/tsg-traffic-engine.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=Tsg vsys1
Requires=k3s.service mrzcpd.service
After=k3s.service mrzcpd.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c "/opt/tsg/vsys1/scripts/tsg-traffic-image-load.sh;\
k3s kubectl create configmap vsys1-provision --from-file=/data/tsg-os-provision/provision.yml --from-file=/opt/tsg/tsg-os-provision/.policy_and_log_nic_ip.yaml;\
k3s kubectl apply -f /opt/tsg/vsys1/workload_resource/tsg_workload_resource.yml"
ExecStop=/bin/sh -c "k3s kubectl delete -f /opt/tsg/vsys1/workload_resource/tsg_workload_resource.yml;\
k3s kubectl delete configmap vsys1-provision"

45
ansible/roles/vsys/tasks/main.yml Normal file
View File

@@ -0,0 +1,45 @@
- name: "create directory for workload resource"
file:
path: "{{ item }}"
state: directory
with_items:
- /usr/lib/systemd/system/tsg-traffic-engine.service.d/
- /opt/tsg/vsys1/workload_resource/
- /usr/lib/systemd/system/tsg-images-load.service.d/
- /opt/tsg/vsys1/scripts/
- name: "copy vsys1 service file to dest"
copy:
src: "{{ role_path }}/files/tsg-traffic-engine.service"
dest: "/usr/lib/systemd/system/"
mode: 0644
#- name: "copy images load service file to dest"
# copy:
# src: "{{ role_path }}/files/tsg-images-load.service"
# dest: "/usr/lib/systemd/system/tsg-images-load.service"
# mode: 0644
- name: 'tsg-traffic-engine service enable'
systemd:
name: tsg-traffic-engine
enabled: yes
- name: "templates tsg_workload_resource.yml"
template:
src: "{{role_path}}/templates/tsg_workload_resource.yml.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/tsg_workload_resource.yml.j2
tags: template
- name: "copy slice file to tsg-traffic-engine.service.d"
copy:
src: "{{ role_path }}/templates/service_override_slice.conf.j2"
dest: /usr/lib/systemd/system/tsg-traffic-engine.service.d/service_override_slice.conf
mode: 0644
- name: "templates tsg-traffic-image-load.sh.j2"
template:
src: "{{role_path}}/templates/tsg-traffic-image-load.sh.j2"
dest: /opt/tsg/vsys1/scripts/tsg-traffic-image-load.sh
mode: 0755

2
ansible/roles/vsys/templates/service_override_slice.conf.j2 Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Slice=workload.slice

13
ansible/roles/vsys/templates/tsg-traffic-image-load.sh.j2 Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash -ex
#fileLoadImageSucceeded="/data/tsg-os-provision/.images_load_succeeded"
#if [ -f $fileLoadImageSucceeded ]; then
# rm $fileLoadImageSucceeded
#fi
/usr/local/bin/k3s ctr image import /opt/tsg/images/tsg-container-firewall-{{os_release_ver}}-images.tar
/usr/local/bin/k3s ctr image import /opt/tsg/images/tsg-container-proxy-{{os_release_ver}}-images.tar
/usr/local/bin/k3s ctr image import /opt/tsg/images/tsg-container-certstore-{{os_release_ver}}-images.tar
/usr/local/bin/k3s ctr image import /opt/tsg/images/tsg-container-telegraf-{{os_release_ver}}-images.tar
/usr/local/bin/k3s ctr image import /opt/tsg/images/tsg-container-init-{{os_release_ver}}-images.tar
#touch $fileLoadImageSucceeded

174
ansible/roles/vsys/templates/tsg_workload_resource.yml.j2.j2 Normal file
View File

@@ -0,0 +1,174 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: tsg
labels:
app: tsg
spec:
selector:
matchLabels:
app: tsg
template:
metadata:
labels:
app: tsg
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
containers:
- name: firewall
image: docker.io/library/tsg-firewall:{{os_release_ver}}
imagePullPolicy: Never
workingDir: /opt/tsg/sapp
command: ["/bin/bash", "-c", "./sapp"]
securityContext:
privileged: true
volumeMounts:
- name: opt-tsg-mrzcpd
mountPath: /opt/tsg/mrzcpd
readOnly: false
- name: var-run-mrzcpd
mountPath: /var/run/mrzcpd
readOnly: false
- name: var-run-dpdk
mountPath: /var/run/dpdk
readOnly: false
- name: root-sys
mountPath: /root/sys
readOnly: false
- name: switch-partion
mountPath: "/opt/tsg/sapp/plug/conflist.inf"
subPath: "opt/tsg/sapp/plug/conflist.inf"
- name: switch-partion
mountPath: "/opt/tsg/sapp/etc/gdev.conf"
subPath: "opt/tsg/sapp/etc/gdev.conf"
- name: switch-partion
mountPath: "/opt/tsg/sapp/tsgconf/main.conf"
subPath: "opt/tsg/sapp/tsgconf/main.conf"
- name: switch-partion
mountPath: "/opt/tsg/sapp/tsgconf/maat.conf"
subPath: "opt/tsg/sapp/tsgconf/maat.conf"
- name: switch-partion
mountPath: "/opt/tsg/sapp/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf"
subPath: "opt/tsg/sapp/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf"
- name: switch-partion
mountPath: "/opt/tsg/sapp/etc/sapp.toml"
subPath: "opt/tsg/sapp/etc/sapp.toml"
- name: switch-partion
mountPath: "/opt/tsg/sapp/etc/send_raw_pkt.conf"
subPath: "opt/tsg/sapp/etc/send_raw_pkt.conf"
- name: switch-partion
mountPath: "/opt/tsg/sapp/etc/kni/kni.conf"
subPath: "opt/tsg/sapp/etc/kni/kni.conf"
- name: switch-partion
mountPath: "/opt/tsg/sapp/etc/wannat/wangw.conf"
subPath: "opt/tsg/sapp/etc/wannat/wangw.conf"
- name: switch-partion
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "opt/tsg/etc/tsg_sn.json"
{% raw %}{% if proxy.enable == 1 %}
{% endraw %}
- name: proxy
image: docker.io/library/tsg-proxy:{{os_release_ver}}
imagePullPolicy: Never
workingDir: /opt/tsg/tfe
command: ["/bin/bash", "-c", "./bin/tfe"]
securityContext:
privileged: true
volumeMounts:
- name: opt-tsg-mrzcpd
mountPath: /opt/tsg/mrzcpd
readOnly: false
- name: var-run-mrzcpd
mountPath: /var/run/mrzcpd
readOnly: false
- name: var-run-dpdk
mountPath: /var/run/dpdk
readOnly: false
- name: root-sys
mountPath: /root/sys
readOnly: false
- name: switch-partion
mountPath: "/opt/tsg/tfe/conf/tfe/tfe.conf"
subPath: "opt/tsg/tfe/conf/tfe/tfe.conf"
- name: switch-partion
mountPath: "/opt/tsg/tfe/conf/pangu/pangu_pxy.conf"
subPath: "opt/tsg/tfe/conf/pangu/pangu_pxy.conf"
- name: switch-partion
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "opt/tsg/etc/tsg_sn.json"
{% raw %}{% endif %}
{% endraw %}
- name: certstore
image: docker.io/library/tsg-certstore:{{os_release_ver}}
imagePullPolicy: Never
workingDir: /opt/tsg/certstore
command: ["/bin/bash", "-c", "/usr/bin/redis-server /etc/cert-redis.conf;./bin/certstore"]
securityContext:
privileged: true
volumeMounts:
- name: switch-partion
mountPath: "/opt/tsg/certstore/conf/cert_store.ini"
subPath: "opt/tsg/certstore/conf/cert_store.ini"
- name: switch-partion
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "opt/tsg/etc/tsg_sn.json"
- name: telegraf
image: docker.io/library/tsg-telegraf:{{os_release_ver}}
imagePullPolicy: Never
command: ["/bin/bash", "-c", "/usr/bin/telegraf -config /etc/telegraf/telegraf_statistic.conf -config-directory /etc/telegraf/telegraf_statistic.d"]
securityContext:
privileged: true
volumeMounts:
- name: switch-partion
mountPath: "/etc/telegraf/telegraf_statistic.conf"
subPath: "etc/telegraf/telegraf_statistic.conf"
- name: switch-partion
mountPath: "/opt/tsg/etc/tsg_sn.json"
subPath: "opt/tsg/etc/tsg_sn.json"
- name: switch-partion
mountPath: "/etc/default/telegraf"
subPath: "etc/default/telegraf"
initContainers:
- name: tsg-init
image: docker.io/library/tsg-init:{{os_release_ver}}
imagePullPolicy: Never
command: ["sh", "-c", "ansible-playbook -i /opt/tsg/tsg-os-provision/hosts /opt/tsg/tsg-os-provision/tasks/provision.yml"]
securityContext:
privileged: true
volumeMounts:
- name: switch-partion
mountPath: /target_config
- name: provision
mountPath: /data/tsg-os-provision
readOnly: true
volumes:
- name: opt-tsg-mrzcpd
hostPath:
path: /opt/tsg/mrzcpd
- name: var-run-mrzcpd
hostPath:
path: /var/run/mrzcpd
- name: var-run-dpdk
hostPath:
path: /var/run/dpdk
- name: root-sys
hostPath:
path: /root/sys
- name: provision
configMap:
name: vsys1-provision
- name: switch-partion
emptyDir: {}

9
ansible/roles/wannat_wangw/tasks/main.yml
View File

@@ -1,4 +1,13 @@
---
- name: "download rpm packages: wannat wangw"
yum:
name: "{{ item.value }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ wannat_wangw_rpm_version }}"
- name: "Install wangw plugins"
shell: rpm -i /tmp/rpm_download/{{ item.rpm_version }}* --prefix {{ item.prefix }}
with_items:

9
ansible/roles/wire_graft/tasks/main.yml
View File

@@ -1,4 +1,13 @@
---
- name: "download rpm packages: wire_graft"
yum:
name: "{{ item.value }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ wire_graft_rpm_version }}"
- name: "Install wire_graft that is sapp plugins"
shell: rpm -i /tmp/rpm_download/{{ item.rpm_version }}* --prefix {{ item.prefix }}
with_items:

2
installer/distro-setup.sh
View File

@@ -81,7 +81,7 @@ EOF2
echo "HOSTNAME=localhost" > /etc/sysconfig/network
# Disable selinux
sed -ie "s/SELINUX=/SELINUX=disabled/g" /etc/selinux/config
sed -ie "s/SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
ldconfig
exit 0

2
make/Makefile.7400MCN0P01R01
View File

@@ -52,7 +52,7 @@ sysroot-ansible: sysroot-verfile sysroot-base
cp $(CONFDIR)/resolv.conf $(TARGET_SYSROOT_DIR)/etc/ -r
cp $(TARGET_SYSROOT_DIR)/etc/hosts $(TARGET_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-CentOS-7.conf
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-CentOS-7.conf $(OS_RELEASE_VER)
cp $(TARGET_SYSROOT_DIR)/tmp/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
sysroot-cleanup:

2
make/Makefile.7400MCN123P01R01
View File

@@ -52,7 +52,7 @@ sysroot-ansible: sysroot-verfile sysroot-base
cp $(CONFDIR)/resolv.conf $(TARGET_SYSROOT_DIR)/etc/ -r
cp $(TARGET_SYSROOT_DIR)/etc/hosts $(TARGET_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-CentOS-7.conf
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-CentOS-7.conf $(OS_RELEASE_VER)
cp $(TARGET_SYSROOT_DIR)/tmp/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
sysroot-cleanup:

2
make/Makefile.9000NPBP01R01
View File

@@ -52,7 +52,7 @@ sysroot-ansible: sysroot-verfile sysroot-base
cp $(CONFDIR)/resolv.conf $(TARGET_SYSROOT_DIR)/etc/ -r
cp $(TARGET_SYSROOT_DIR)/etc/hosts $(TARGET_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-CentOS-7.conf
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-CentOS-7.conf $(OS_RELEASE_VER)
cp $(TARGET_SYSROOT_DIR)/tmp/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
sysroot-cleanup:

2
make/Makefile.TSGXNXR620G40R01P0804
View File

@@ -53,7 +53,7 @@ sysroot-ansible: sysroot-verfile sysroot-base
cp $(CONFDIR)/resolv.conf $(TARGET_SYSROOT_DIR)/etc/ -r
cp $(TARGET_SYSROOT_DIR)/etc/hosts $(TARGET_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-RockyLinux-8.conf
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-RockyLinux-8.conf $(OS_RELEASE_VER)
cp $(TARGET_SYSROOT_DIR)/tmp/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
umount $(TARGET_SYSROOT_DIR)/proc

223
make/Makefile.TSGXNXR620G40R01P0906 Normal file
View File

@@ -0,0 +1,223 @@
PROFILE_ID := TSG-X-NXR620G40-R01-P0906
SUPPORTED_MACHINE_ID := TSG-X-NXR620G40-R01-P0906
KERNEL_ARGS := crashkernel=512M default_hugepagesz=1G hugepagesz=1G hugepages=16 intel_iommu=on iommu=pt mitigations=off psi=1 isolcpus=1-76
GRUB_SERIAL_COMMAND :=
SIZE_PART_SYSROOT := 16384M
SIZE_PART_UPDATE := 16384M
PROFILE_ID_IN_SHORT := $(subst -,$e,$(PROFILE_ID))
CHROOT_PKG := tsg-os-${OS_RELEASE_VER}-${PROFILE_ID_IN_SHORT}-chroot.tar.bz2
CHROOT_BIN := tsg-os-${OS_RELEASE_VER}-${PROFILE_ID_IN_SHORT}-ONIE.bin
TARGET_BUILD_DIR := $(BUILDDIR_BASE)/$(PROFILE_ID)
TARGET_INSTALLER_DIR := $(TARGET_BUILD_DIR)/installer
TARGET_SYSROOT_DIR := $(TARGET_BUILD_DIR)/sysroot
TARGET_CONTAINER_IMAGE_DIR := $(TARGET_BUILD_DIR)/container_images
CONTAINER_DOCKERFILE := $(TARGET_CONTAINER_IMAGE_DIR)/Dockerfile
CONTAINER_FIREWALL_NAME := firewall
TARGET_CONTAINER_FIREWALL_SYSROOT_DIR := $(TARGET_BUILD_DIR)/$(CONTAINER_FIREWALL_NAME)-container_sysroot
CONTAINER_FIREWALL_PKG := tsg-container-$(CONTAINER_FIREWALL_NAME)-${OS_RELEASE_VER}-${PROFILE_ID_IN_SHORT}-images.tar.xz
CONTAINER_FIREWALL_TAR := tsg-container-$(CONTAINER_FIREWALL_NAME)-${OS_RELEASE_VER}-images.tar
CONTAINER_PROXY_NAME := proxy
TARGET_CONTAINER_RPOXY_SYSROOT_DIR := $(TARGET_BUILD_DIR)/$(CONTAINER_PROXY_NAME)-container_sysroot
CONTAINER_RPOXY_PKG := tsg-container-$(CONTAINER_PROXY_NAME)-${OS_RELEASE_VER}-${PROFILE_ID_IN_SHORT}-images.tar.xz
CONTAINER_RPOXY_TAR := tsg-container-$(CONTAINER_PROXY_NAME)-${OS_RELEASE_VER}-images.tar
CONTAINER_CERTSTORE_NAME := certstore
TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR := $(TARGET_BUILD_DIR)/$(CONTAINER_CERTSTORE_NAME)-container_sysroot
CONTAINER_CERTSTORE_PKG := tsg-container-$(CONTAINER_CERTSTORE_NAME)-${OS_RELEASE_VER}-${PROFILE_ID_IN_SHORT}-images.tar.xz
CONTAINER_CERTSTORE_TAR := tsg-container-$(CONTAINER_CERTSTORE_NAME)-${OS_RELEASE_VER}-images.tar
CONTAINER_TELEGRAF_NAME := telegraf
TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR := $(TARGET_BUILD_DIR)/$(CONTAINER_TELEGRAF_NAME)-container_sysroot
CONTAINER_TELEGRAF_PKG := tsg-container-$(CONTAINER_TELEGRAF_NAME)-${OS_RELEASE_VER}-${PROFILE_ID_IN_SHORT}-images.tar.xz
CONTAINER_TELEGRAF_TAR := tsg-container-$(CONTAINER_TELEGRAF_NAME)-${OS_RELEASE_VER}-images.tar
CONTAINER_INIT_NAME := init
TARGET_CONTAINER_INIT_SYSROOT_DIR := $(TARGET_BUILD_DIR)/$(CONTAINER_INIT_NAME)-container_sysroot
CONTAINER_INIT_PKG := tsg-container-$(CONTAINER_INIT_NAME)-${OS_RELEASE_VER}-${PROFILE_ID_IN_SHORT}-images.tar.xz
CONTAINER_INIT_TAR := tsg-container-$(CONTAINER_INIT_NAME)-${OS_RELEASE_VER}-images.tar
.PHONY: all builddir installer sysroot-base sysroot-cleanup sysroot-archive sysroot-binary container-sysroot-base container-sysroot-ansible container-images-generate add-images-into-sysroot container-sysroot-cleanup clean
all: sysroot-binary
builddir:
mkdir -p $(TARGET_BUILD_DIR)
installer: builddir
rm -rf $(TARGET_INSTALLER_DIR)
mkdir -p $(TARGET_INSTALLER_DIR)
cp $(INSTALLERDIR)/install.sh $(TARGET_INSTALLER_DIR)/install.sh
cp $(INSTALLERDIR)/distro-setup.sh $(TARGET_INSTALLER_DIR)/distro-setup.sh
chmod +x $(TARGET_INSTALLER_DIR)/install.sh
chmod +x $(TARGET_INSTALLER_DIR)/distro-setup.sh
sed -i -e "s/%%DISTR0_VER%%/$(OS_RELEASE_VER)/" $(TARGET_INSTALLER_DIR)/install.sh
sed -i -e "s/%%MACHINE_ID%%/$(SUPPORTED_MACHINE_ID)/" $(TARGET_INSTALLER_DIR)/install.sh
sed -i -e "s/%%CHROOT_PKG%%/$(CHROOT_PKG)/" $(TARGET_INSTALLER_DIR)/install.sh
sed -i -e "s/%%KERNAL_ARGS%%/$(KERNEL_ARGS)/" $(TARGET_INSTALLER_DIR)/install.sh
sed -i -e "s/%%GRUB_SERIAL_COMMAND%%/$(GRUB_SERIAL_COMMAND)/" $(TARGET_INSTALLER_DIR)/install.sh
sed -i -e "s/%%SIZE_PART_SYSROOT%%/$(SIZE_PART_SYSROOT)/" $(TARGET_INSTALLER_DIR)/install.sh
sed -i -e "s/%%SIZE_PART_UPDATE%%/$(SIZE_PART_UPDATE)/" $(TARGET_INSTALLER_DIR)/install.sh
sed -i '/sapp-pr:/d;/tfe-pr:/d' $(PROJECTDIR)/ansible/install_config/group_vars/rpm_version.yml
sysroot-base: builddir
$(TOOLSDIR)/mk-base-image $(CONFDIR)/yum-RockyLinux-8.conf $(TARGET_SYSROOT_DIR) $(PROJECTDIR) $(PROFILE_ID)
container-sysroot-base: builddir sysroot-verfile sysroot-ansible
rm -rf $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_INIT_SYSROOT_DIR)
mkdir -p $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)
mkdir -p $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)
mkdir -p $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)
mkdir -p $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)
mkdir -p $(TARGET_CONTAINER_INIT_SYSROOT_DIR)
mkdir -p $(TARGET_CONTAINER_IMAGE_DIR)
tar -Jxf $(PROJECTDIR)/package/rocky-8.6-docker.tar.xz -C $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)
tar -Jxf $(PROJECTDIR)/package/rocky-8.6-docker.tar.xz -C $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)
tar -Jxf $(PROJECTDIR)/package/rocky-8.6-docker.tar.xz -C $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)
tar -Jxf $(PROJECTDIR)/package/rocky-8.6-docker.tar.xz -C $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)
tar -Jxf $(PROJECTDIR)/package/rocky-8.6-docker.tar.xz -C $(TARGET_CONTAINER_INIT_SYSROOT_DIR)
#curl -SL https://raw.githubusercontent.com/rocky-linux/sig-cloud-instance-images/Rocky-8.5-x86_64/rocky-8.5-docker-x86_64.tar.xz | tar -Jx -C $(TARGET_CONTAINER_SYSROOT_DIR)
sysroot-verfile: sysroot-base
sed -i -e "s/^NAME=.*/NAME=\"TSG-OS\"/" $(TARGET_SYSROOT_DIR)/usr/lib/os-release
sed -i -e "s/^VERSION=.*/VERSION=\"$(OS_RELEASE_VER) ($(PROFILE_ID_IN_SHORT))\"/" $(TARGET_SYSROOT_DIR)/usr/lib/os-release
sed -i -e "s/^PRETTY_NAME=.*/PRETTY_NAME=\"TSG-OS $(OS_RELEASE_VER) ($(PROFILE_ID_IN_SHORT))\"/" $(TARGET_SYSROOT_DIR)/usr/lib/os-release
sysroot-ansible: sysroot-verfile sysroot-base
cp $(CONFDIR)/yum-RockyLinux-8.conf $(TARGET_SYSROOT_DIR)/tmp/ -r
cp $(CONFDIR)/resolv.conf $(TARGET_SYSROOT_DIR)/etc/ -r
cp $(TARGET_SYSROOT_DIR)/etc/hosts $(TARGET_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-RockyLinux-8.conf $(OS_RELEASE_VER)
cp $(TARGET_SYSROOT_DIR)/tmp/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
container-sysroot-ansible: container-sysroot-base
cp $(CONFDIR)/yum-RockyLinux-8.conf $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/tmp/ -r
cp $(CONFDIR)/resolv.conf $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/etc/ -r
cp $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/etc/hosts $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID)-$(CONTAINER_FIREWALL_NAME) $(PROJECTDIR) $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR) /tmp/yum-RockyLinux-8.conf $(OS_RELEASE_VER)
cp $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/tmp/hosts $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/etc/ -r
cp $(CONFDIR)/yum-RockyLinux-8.conf $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/tmp/ -r
cp $(CONFDIR)/resolv.conf $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/etc/ -r
cp $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/etc/hosts $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID)-$(CONTAINER_PROXY_NAME) $(PROJECTDIR) $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR) /tmp/yum-RockyLinux-8.conf $(OS_RELEASE_VER)
cp $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/tmp/hosts $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/etc/ -r
cp $(CONFDIR)/yum-RockyLinux-8.conf $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/tmp/ -r
cp $(CONFDIR)/resolv.conf $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/etc/ -r
cp $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/etc/hosts $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID)-$(CONTAINER_CERTSTORE_NAME) $(PROJECTDIR) $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR) /tmp/yum-RockyLinux-8.conf $(OS_RELEASE_VER)
cp $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/tmp/hosts $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/etc/ -r
cp $(CONFDIR)/yum-RockyLinux-8.conf $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/tmp/ -r
cp $(CONFDIR)/resolv.conf $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/etc/ -r
cp $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/etc/hosts $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID)-$(CONTAINER_TELEGRAF_NAME) $(PROJECTDIR) $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR) /tmp/yum-RockyLinux-8.conf $(OS_RELEASE_VER)
cp $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/tmp/hosts $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/etc/ -r
cp $(CONFDIR)/yum-RockyLinux-8.conf $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/tmp/ -r
cp $(CONFDIR)/resolv.conf $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/etc/ -r
cp $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/etc/hosts $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID)-$(CONTAINER_INIT_NAME) $(PROJECTDIR) $(TARGET_CONTAINER_INIT_SYSROOT_DIR) /tmp/yum-RockyLinux-8.conf $(OS_RELEASE_VER)
cp $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/tmp/hosts $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/etc/ -r
container-sysroot-cleanup:
cp $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/tmp/ks-script-* $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/tmp/*
rm -rf $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/dev/*
mv $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/ks-script-* $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR)/tmp
cp $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/tmp/ks-script-* $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/tmp/*
rm -rf $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/dev/*
mv $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/ks-script-* $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR)/tmp
cp $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/tmp/ks-script-* $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/tmp/*
rm -rf $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/dev/*
mv $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/ks-script-* $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR)/tmp
cp $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/tmp/ks-script-* $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/tmp/*
rm -rf $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/dev/*
mv $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/ks-script-* $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR)/tmp
cp $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/tmp/ks-script-* $(TARGET_CONTAINER_INIT_SYSROOT_DIR)
rm -rf $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/tmp/*
rm -rf $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/dev/*
mv $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/ks-script-* $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/tmp
container-images-generate: container-sysroot-ansible container-sysroot-cleanup
tar -Jcf $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_FIREWALL_PKG) -C $(TARGET_CONTAINER_FIREWALL_SYSROOT_DIR) .
echo -e "FROM scratch\nADD $(CONTAINER_FIREWALL_PKG) /\n\nCMD ["/bin/bash"]\n" > $(CONTAINER_DOCKERFILE)
docker build -t tsg-${CONTAINER_FIREWALL_NAME}:$(OS_RELEASE_VER) -f $(CONTAINER_DOCKERFILE) $(TARGET_CONTAINER_IMAGE_DIR)
docker save tsg-${CONTAINER_FIREWALL_NAME}:$(OS_RELEASE_VER) > $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_FIREWALL_TAR)
docker rmi tsg-${CONTAINER_FIREWALL_NAME}:$(OS_RELEASE_VER)
tar -Jcf $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_RPOXY_PKG) -C $(TARGET_CONTAINER_RPOXY_SYSROOT_DIR) .
echo -e "FROM scratch\nADD $(CONTAINER_RPOXY_PKG) /\n\nCMD ["/bin/bash"]\n" > $(CONTAINER_DOCKERFILE)
docker build -t tsg-$(CONTAINER_PROXY_NAME):$(OS_RELEASE_VER) -f $(CONTAINER_DOCKERFILE) $(TARGET_CONTAINER_IMAGE_DIR)
docker save tsg-$(CONTAINER_PROXY_NAME):$(OS_RELEASE_VER) > $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_RPOXY_TAR)
docker rmi tsg-$(CONTAINER_PROXY_NAME):$(OS_RELEASE_VER)
tar -Jcf $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_CERTSTORE_PKG) -C $(TARGET_CONTAINER_CERTSTORE_SYSROOT_DIR) .
echo -e "FROM scratch\nADD $(CONTAINER_CERTSTORE_PKG) /\n\nCMD ["/bin/bash"]\n" > $(CONTAINER_DOCKERFILE)
docker build -t tsg-$(CONTAINER_CERTSTORE_NAME):$(OS_RELEASE_VER) -f $(CONTAINER_DOCKERFILE) $(TARGET_CONTAINER_IMAGE_DIR)
docker save tsg-$(CONTAINER_CERTSTORE_NAME):$(OS_RELEASE_VER) > $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_CERTSTORE_TAR)
docker rmi tsg-$(CONTAINER_CERTSTORE_NAME):$(OS_RELEASE_VER)
tar -Jcf $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_TELEGRAF_PKG) -C $(TARGET_CONTAINER_TELEGRAF_SYSROOT_DIR) .
echo -e "FROM scratch\nADD $(CONTAINER_TELEGRAF_PKG) /\n\nCMD ["/bin/bash"]\n" > $(CONTAINER_DOCKERFILE)
docker build -t tsg-$(CONTAINER_TELEGRAF_NAME):$(OS_RELEASE_VER) -f $(CONTAINER_DOCKERFILE) $(TARGET_CONTAINER_IMAGE_DIR)
docker save tsg-$(CONTAINER_TELEGRAF_NAME):$(OS_RELEASE_VER) > $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_TELEGRAF_TAR)
docker rmi tsg-$(CONTAINER_TELEGRAF_NAME):$(OS_RELEASE_VER)
tar -Jcf $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_INIT_PKG) -C $(TARGET_CONTAINER_INIT_SYSROOT_DIR) .
echo -e "FROM scratch\nADD $(CONTAINER_INIT_PKG) /\n\nCMD ["/bin/bash"]\n" > $(CONTAINER_DOCKERFILE)
docker build -t tsg-$(CONTAINER_INIT_NAME):$(OS_RELEASE_VER) -f $(CONTAINER_DOCKERFILE) $(TARGET_CONTAINER_IMAGE_DIR)
docker save tsg-$(CONTAINER_INIT_NAME):$(OS_RELEASE_VER) > $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_INIT_TAR)
docker rmi tsg-$(CONTAINER_INIT_NAME):$(OS_RELEASE_VER)
sysroot-cleanup:
rm -rf $(TARGET_SYSROOT_DIR)/tmp/*
rm -rf $(TARGET_SYSROOT_DIR)/dev/*
add-images-into-sysroot: container-images-generate
mkdir -p $(TARGET_SYSROOT_DIR)/opt/tsg/images/
cp $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_FIREWALL_TAR) $(TARGET_SYSROOT_DIR)/opt/tsg/images/
cp $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_RPOXY_TAR) $(TARGET_SYSROOT_DIR)/opt/tsg/images/
cp $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_CERTSTORE_TAR) $(TARGET_SYSROOT_DIR)/opt/tsg/images/
cp $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_TELEGRAF_TAR) $(TARGET_SYSROOT_DIR)/opt/tsg/images/
cp $(TARGET_CONTAINER_IMAGE_DIR)/$(CONTAINER_INIT_TAR) $(TARGET_SYSROOT_DIR)/opt/tsg/images/
sysroot-archive: installer add-images-into-sysroot sysroot-cleanup
cp $(TARGET_CONTAINER_INIT_SYSROOT_DIR)/etc/sysctl.d/80-tfe.conf $(TARGET_SYSROOT_DIR)/etc/sysctl.d/
tar --exclude=*~ --exclude-backups --owner=root --group=root -c -C $(TARGET_SYSROOT_DIR) . | pbzip2 -p9 > $(TARGET_INSTALLER_DIR)/$(CHROOT_PKG)
sysroot-binary: sysroot-archive
mkdir -p $(TARGET_BUILD_DIR)/cook-bits
$(TOOLSDIR)/cook-bits $(TARGET_BUILD_DIR) $(TARGET_BUILD_DIR)/cook-bits $(IMAGEDIR_BASE)/$(CHROOT_BIN)
sha256sum $(IMAGEDIR_BASE)/$(CHROOT_BIN) | awk '{print $$1}' > $(IMAGEDIR_BASE)/$(CHROOT_BIN).sha256sum.txt
clean:
rm -rf $(TARGET_BUILD_DIR)

2
make/Makefile.TSGXNXR620G40R01P1403
View File

@@ -53,7 +53,7 @@ sysroot-ansible: sysroot-verfile sysroot-base
cp $(CONFDIR)/resolv.conf $(TARGET_SYSROOT_DIR)/etc/ -r
cp $(TARGET_SYSROOT_DIR)/etc/hosts $(TARGET_SYSROOT_DIR)/tmp/ -r
cp /etc/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-CentOS-7.conf
$(TOOLSDIR)/ansible-HAL $(PROFILE_ID) $(PROJECTDIR) $(TARGET_SYSROOT_DIR) /tmp/yum-CentOS-7.conf $(OS_RELEASE_VER)
cp $(TARGET_SYSROOT_DIR)/tmp/hosts $(TARGET_SYSROOT_DIR)/etc/ -r
umount $(TARGET_SYSROOT_DIR)/proc

BIN
package/rocky-8.6-docker.tar.xz Normal file
View File

Binary file not shown.

3
tools/ansible-HAL
View File

@@ -4,6 +4,7 @@ PROFILE_ID=$1
PROJECTDIR=$2
TARGET_SYSROOT_DIR=$3
YUM_CONF_PATH=$4
OS_RELEASE_VER=$5
echo "----------------------------- Ansible Stage 1 ----------------------------"
echo "$PROFILE_ID"
@@ -11,4 +12,4 @@ echo "$PROFILE_ID"
echo "[$PROFILE_ID]" > $PROJECTDIR/ansible/install_config/hosts
echo "$TARGET_SYSROOT_DIR ansible_connection=chroot" >> $PROJECTDIR/ansible/install_config/hosts
ansible-playbook -i $PROJECTDIR/ansible/install_config/hosts $PROJECTDIR/ansible/HAL_deploy.yml -e "rpm_repo_config_path=$YUM_CONF_PATH PROFILE_ID=$PROFILE_ID path_download=/tmp/rpm_download"
ansible-playbook -i $PROJECTDIR/ansible/install_config/hosts $PROJECTDIR/ansible/HAL_deploy.yml -e "rpm_repo_config_path=$YUM_CONF_PATH PROFILE_ID=$PROFILE_ID path_download=/tmp/rpm_download os_release_ver=$OS_RELEASE_VER"

87
tools/mk-base-image
View File

@@ -10,69 +10,66 @@ yum_config=$1
target=$2
projectdir=$3
profile_id=$4
setopt="group_package_types=mandatory,default,optional"
case $profile_id in
"TSG-X-NXR620G40-R01-P0804")
"TSG-X-NXR620G40-R01-P0804" | "TSG-X-NXR620G40-R01-P0906" )
kernel_version="5.17.15-1.el8.x86_64"
append_package_to_install="$projectdir/package/kernel-ml-core-$kernel_version.rpm
$projectdir/package/kernel-ml-modules-$kernel_version.rpm
$projectdir/package/kernel-ml-$kernel_version.rpm
$projectdir/package/kernel-ml-devel-$kernel_version.rpm"
;;
"TSG-X-NXR620G40-R01-P1403")
kernel_version="3.10.0-1160.59.1.el7.x86_64"
append_package_to_install="kernel-3.10.0-1160.59.1.el7.x86_64
kernel-devel-3.10.0-1160.59.1.el7.x86_64"
;;
"7400-MCN0-P01R01" | "7400-MCN123-P01R01" |"9000-NPB-P01R01")
kernel_version="5.4.159-1.el7.elrepo.x86_64"
append_package_to_install="$projectdir/package/kernel-lt-$kernel_version.rpm
$projectdir/package/kernel-lt-devel-$kernel_version.rpm"
;;
*)
kernel_version="error_profile_id"
echo "Set kernel_version failed, profile_id: $profile_id"
echo "Set kernel_version failed, error profile_id: $profile_id"
exit 1
;;
esac
case $profile_id in
"TSG-X-NXR620G40-R01-P0804" | "TSG-X-NXR620G40-R01-P0906" )
base_package_to_install="@base @core @debugging @anaconda-tools @additional-devel @guest-agents @system-tools
@hardware-monitoring @network-file-system-client @performance @remote-system-management adcli certmonger
ipa-client clevis-dracut clevis-udisks2 krb5-pkinit krb5-workstation sssd-polkit-rules krb5-pkinit luksmeta
nscd nss-pam-ldapd grub2 epel-release efibootmgr ansible yum-utils ipmitool OpenIPMI docker-ce docker-ce-cli
containerd.io lrzsz python3 watchdog pcm git tmux fish kernel kernel-devel kernel-tools-libs kernel-modules
kernel-tools kernel-core rpm-build libtool kernel-rpm-macros python36-devel tcsh kernel-modules-extra gcc-gfortran
libdb-devel fuse-devel python3-Cython cmake perl-generators libstdc++-devel libmnl-devel bison flex gcc-c++
python3-docutils libnsl"
;;
"TSG-X-NXR620G40-R01-P1403" | "7400-MCN0-P01R01" | "7400-MCN123-P01R01" |"9000-NPB-P01R01")
base_package_to_install="@base @core @debugging @directory-client @guest-agents
@hardware-monitoring @network-file-system-client @performance @remote-system-management
grub2 epel-release efibootmgr ansible yum-utils ipmitool docker-ce docker-ce-cli
containerd.io lrzsz python3 vconfig watchdog pcm git tmux fish"
;;
*)
base_package_to_install="error_profile_id"
echo "Set base_package_to_install failed, error profile_id: $profile_id"
exit 1
;;
esac
set -ex
package_to_install_CentOS7="@base @core @debugging @directory-client @guest-agents
@hardware-monitoring @network-file-system-client @performance @remote-system-management
grub2 epel-release efibootmgr ansible yum-utils ipmitool docker-ce docker-ce-cli containerd.io lrzsz python3 vconfig watchdog pcm git tmux fish"
package_to_install_RockyLinux85="@base @core @debugging @anaconda-tools @additional-devel @guest-agents @system-tools
@hardware-monitoring @network-file-system-client @performance @remote-system-management
adcli certmonger ipa-client clevis-dracut clevis-udisks2 krb5-pkinit krb5-workstation sssd-polkit-rules krb5-pkinit luksmeta nscd nss-pam-ldapd
grub2 epel-release efibootmgr ansible yum-utils ipmitool OpenIPMI docker-ce docker-ce-cli containerd.io lrzsz python3 watchdog pcm git tmux fish kernel kernel-devel
kernel-tools-libs kernel-modules kernel-tools kernel-core rpm-build libtool kernel-rpm-macros python36-devel tcsh kernel-modules-extra gcc-gfortran
libdb-devel fuse-devel python3-Cython cmake perl-generators libstdc++-devel libmnl-devel bison flex gcc-c++ python3-docutils libnsl"
if [ $profile_id != "TSG-X-NXR620G40-R01-P0804" ];then
locak_package_to_install_CentOS7="$projectdir/package/kernel-lt-$kernel_version.rpm
$projectdir/package/kernel-lt-devel-$kernel_version.rpm"
else
local_package_to_install="$projectdir/package/kernel-ml-core-$kernel_version.rpm
$projectdir/package/kernel-ml-modules-$kernel_version.rpm
$projectdir/package/kernel-ml-$kernel_version.rpm
$projectdir/package/kernel-ml-devel-$kernel_version.rpm"
fi
kernel_package_to_install="kernel-3.10.0-1160.59.1.el7.x86_64 kernel-devel-3.10.0-1160.59.1.el7.x86_64"
setopt="group_package_types=mandatory,default,optional"
yum -c "$yum_config" --installroot="$target" -y makecache
case $profile_id in
"TSG-X-NXR620G40-R01-P0804")
yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt install $package_to_install_RockyLinux85
yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt install $local_package_to_install
;;
"TSG-X-NXR620G40-R01-P1403")
yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt install $package_to_install_CentOS7
yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt install $kernel_package_to_install
;;
"7400-MCN0-P01R01" | "7400-MCN123-P01R01" |"9000-NPB-P01R01")
yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt install $package_to_install_CentOS7
yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt localinstall $locak_package_to_install_CentOS7
;;
*)
echo "Error profile id, profile_id: $profile_id"
exit 1
;;
esac
yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt install $base_package_to_install
yum -c "$yum_config" --installroot="$target" -y --setopt=$setopt install $append_package_to_install
#if [ $profile_id == "TSG-X-NXR620G40-R01-P0804" ];then
# kernel_version=$(ls $target/boot/vmlinuz-*.x86_64 | grep -oP "^$target/boot/vmlinuz-\K.*")