diff --git a/ansible/roles/traffic-engine/files/helm/conf/provision-init.sh b/ansible/roles/traffic-engine/files/helm/conf/provision-init.sh deleted file mode 100644 index b45b2dec..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/provision-init.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -ex - -mkdir -p /target_config/opt/tsg/etc -mkdir -p /target_config/etc/default -chmod 0755 /opt/tsg/tsg-os-provision/scripts/obtain_sn.sh -/opt/tsg/tsg-os-provision/scripts/obtain_sn.sh -{{ if eq .Values.proxy.enable .Values.define_enable_val_yes }} -ip tuntap add dev tap0 mode tap multi_queue -/opt/tsg/tfe/tfe-env-start.sh -{{- end }} -mount -o remount,rw /sys - -{{ if .Values.sce_config.endpoint_nic }} -ip tuntap add dev {{ .Values.sce_config.endpoint_nic }} mode tap -ip link set dev {{ .Values.sce_config.endpoint_nic }} up -ip route add {{ .Values.sce_config.endpoint_netip }}/{{ .Values.sce_config.endpoint_mask }} dev {{ .Values.sce_config.endpoint_nic }} table 10 -{{ if .Values.sce_config.endpoint_gateway }} -ip route add default via {{ .Values.sce_config.endpoint_gateway }} table 10 -{{- end }} -ip a a {{ .Values.sce_config.endpoint_ip }}/{{ .Values.sce_config.endpoint_mask }} dev {{ .Values.sce_config.endpoint_nic }} noprefixroute -ip rule add dport 3784 table 10 -{{- end }} diff --git a/ansible/roles/traffic-engine/files/helm/conf/tfe-env-start.sh b/ansible/roles/traffic-engine/files/helm/conf/tfe-env-start.sh deleted file mode 100644 index 9763cc99..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/tfe-env-start.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -ex - -/usr/sbin/ip link set tap0 address fe:65:b7:03:50:bd -/usr/sbin/ip link set tap0 up -/usr/sbin/ip addr flush dev tap0 -/usr/sbin/ip addr add 172.16.241.2/30 dev tap0 -/usr/sbin/ip neigh flush dev tap0 -/usr/sbin/ip neigh add 172.16.241.1 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent -/usr/sbin/ip6tables -A INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 -/usr/sbin/iptables -A INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 - - -/usr/sbin/ip rule add iif tap0 tab 100 -/usr/sbin/ip route add local default dev lo table 100 -/usr/sbin/ip rule add fwmark 0x65 lookup 101 -/usr/sbin/ip route add default dev tap0 via 172.16.241.1 table 101 - -/usr/sbin/ip addr add fd00::02/64 dev tap0 -/usr/sbin/ip -6 route add default via fd00::01 -/usr/sbin/ip -6 rule add iif tap0 tab 102 -/usr/sbin/ip -6 route add local default dev lo table 102 -/usr/sbin/ip -6 neigh add fd00::01 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent diff --git a/ansible/roles/traffic-engine/files/helm/conf/tfe-env-stop.sh b/ansible/roles/traffic-engine/files/helm/conf/tfe-env-stop.sh deleted file mode 100644 index 468889c8..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/tfe-env-stop.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -ex -/usr/sbin/ip6tables -D INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 -/usr/sbin/iptables -D INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 -/usr/sbin/ip rule del iif tap0 tab 100 -/usr/sbin/ip route del local default dev lo table 100 -/usr/sbin/ip rule del fwmark 0x65 lookup 101 -/usr/sbin/ip route del default dev tap0 via 172.16.241.1 table 101 -/usr/sbin/ip -6 rule del iif tap0 tab 102 -/usr/sbin/ip -6 route del default via fd00::01 -/usr/sbin/ip -6 route del local default dev lo table 102 -/usr/sbin/ip addr del fd00::02/64 dev tap0 -/usr/sbin/ip link set tap0 down diff --git a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl b/ansible/roles/traffic-engine/files/helm/templates/_config.tpl index 08163246..0a826d7f 100644 --- a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl +++ b/ansible/roles/traffic-engine/files/helm/templates/_config.tpl @@ -202,3 +202,57 @@ enable_breakpad_upload=0 if [ -f "/etc/traffic-engine/hotfix/certstore/scripts/prestart.sh" ]; then chmod 0755 /etc/traffic-engine/hotfix/certstore/scripts/prestart.sh; /etc/traffic-engine/hotfix/certstore/scripts/prestart.sh;fi {{- end -}} + +{{- define "traffic-engine.init" -}} + mkdir -p /target_config/opt/tsg/etc + mkdir -p /target_config/etc/default + chmod 0755 /opt/tsg/tsg-os-provision/scripts/obtain_sn.sh + /opt/tsg/tsg-os-provision/scripts/obtain_sn.sh +{{ if eq .Values.proxy.enable .Values.define_enable_val_yes }} + ip tuntap add dev tap0 mode tap multi_queue + /usr/sbin/ip link set tap0 address fe:65:b7:03:50:bd + /usr/sbin/ip link set tap0 up + /usr/sbin/ip addr flush dev tap0 + /usr/sbin/ip addr add 172.16.241.2/30 dev tap0 + /usr/sbin/ip neigh flush dev tap0 + /usr/sbin/ip neigh add 172.16.241.1 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent + /usr/sbin/ip6tables -A INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 + /usr/sbin/iptables -A INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 + /usr/sbin/ip rule add iif tap0 tab 100 + /usr/sbin/ip route add local default dev lo table 100 + /usr/sbin/ip rule add fwmark 0x65 lookup 101 + /usr/sbin/ip route add default dev tap0 via 172.16.241.1 table 101 + /usr/sbin/ip addr add fd00::02/64 dev tap0 + /usr/sbin/ip -6 route add default via fd00::01 + /usr/sbin/ip -6 rule add iif tap0 tab 102 + /usr/sbin/ip -6 route add local default dev lo table 102 + /usr/sbin/ip -6 neigh add fd00::01 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent +{{- end }} + mount -o remount,rw /sys +{{ if .Values.sce_config.endpoint_nic }} + ip tuntap add dev {{ .Values.sce_config.endpoint_nic }} mode tap + ip link set dev {{ .Values.sce_config.endpoint_nic }} up + ip route add {{ .Values.sce_config.endpoint_netip }}/{{ .Values.sce_config.endpoint_mask }} dev {{ .Values.sce_config.endpoint_nic }} table 10 +{{ if .Values.sce_config.endpoint_gateway }} + ip route add default via {{ .Values.sce_config.endpoint_gateway }} table 10 +{{- end }} + ip a a {{ .Values.sce_config.endpoint_ip }}/{{ .Values.sce_config.endpoint_mask }} dev {{ .Values.sce_config.endpoint_nic }} noprefixroute + ip rule add dport 3784 table 10 +{{- end }} +{{- end -}} + +{{/* +#tfe-env-stop.sh +#!/bin/bash -ex +/usr/sbin/ip6tables -D INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 +/usr/sbin/iptables -D INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 +/usr/sbin/ip rule del iif tap0 tab 100 +/usr/sbin/ip route del local default dev lo table 100 +/usr/sbin/ip rule del fwmark 0x65 lookup 101 +/usr/sbin/ip route del default dev tap0 via 172.16.241.1 table 101 +/usr/sbin/ip -6 rule del iif tap0 tab 102 +/usr/sbin/ip -6 route del default via fd00::01 +/usr/sbin/ip -6 route del local default dev lo table 102 +/usr/sbin/ip addr del fd00::02/64 dev tap0 +/usr/sbin/ip link set tap0 down +*/}} diff --git a/ansible/roles/traffic-engine/files/helm/templates/provision.yaml b/ansible/roles/traffic-engine/files/helm/templates/provision.yaml deleted file mode 100644 index 7e853e5e..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/provision.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: provisioninit-{{ .Release.Name }} - namespace: default -data: - provision-init.sh: {{ tpl (.Files.Get "conf/provision-init.sh") . | quote }} - tfe-env-start.sh: {{ tpl (.Files.Get "conf/tfe-env-start.sh") . | quote }} - tfe-env-stop.sh: {{ tpl (.Files.Get "conf/tfe-env-stop.sh") . | quote }} diff --git a/ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml b/ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml index 73ec3f13..97466b86 100644 --- a/ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml +++ b/ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml @@ -16,7 +16,7 @@ spec: metadata: labels: app: traffic-engine-{{ .Release.Name }} - vsysId: {{ .Values.vsys_id }} + vsysId: "{{ .Values.vsys_id }}" serviceFunction: {{ .Values.nic_raw_name }} annotations: configHash: "{{ .Values.configHash }}" @@ -200,7 +200,7 @@ spec: - name: telegraf image: "docker.io/library/tsg-telegraf:{{ .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.telegraf.pullPolicy }} + imagePullPolicy: Never command: ["/usr/bin/telegraf", "-config", "/etc/telegraf/telegraf_statistic.conf", "-config-directory", "/etc/telegraf/telegraf_statistic.d"] securityContext: privileged: true @@ -221,7 +221,7 @@ spec: {{- if eq .Values.shaping.enable .Values.define_enable_val_yes }} - name: telegraf-shaping image: "docker.io/library/tsg-telegraf:{{ .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.telegraf.pullPolicy }} + imagePullPolicy: Never command: ["/usr/bin/telegraf", "-config", "/etc/telegraf/telegraf_shaping.conf", "-config-directory", "/etc/telegraf/telegraf_statistic.d"] securityContext: privileged: true @@ -253,8 +253,8 @@ spec: value: "9004" - name: minidump-hook - image: "{{ .Values.image.tsgInit.repository }}:{{ .Values.image.tsgInit.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.tsgInit.pullPolicy }} + image: "docker.io/library/tsg-init:{{ .Chart.AppVersion }}" + imagePullPolicy: Never command: ["/bin/sh", "-c", "while true; do touch /run/sapp/crashreport/.minidump; touch /run/tfe/crashreport/.minidump; touch /run/certstore/crashreport/.minidump; sleep 600; done"] volumeMounts: - name: firewall-minidump @@ -267,7 +267,7 @@ spec: {{- if and (eq .Values.sce.enable .Values.define_enable_val_yes) (.Values.sce_config.endpoint_nic) }} - name: telegraf-sce image: "docker.io/library/tsg-telegraf:{{ .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.telegraf.pullPolicy }} + imagePullPolicy: Never command: ["/usr/bin/telegraf", "-config", "/etc/telegraf/telegraf_sce.conf", "-config-directory", "/etc/telegraf/telegraf_statistic.d"] securityContext: privileged: true @@ -392,7 +392,11 @@ spec: - name: tsg-init image: "docker.io/library/tsg-init:{{ .Chart.AppVersion }}" imagePullPolicy: Never - command: ["/opt/tsg/provision-init.sh"] + command: + - "bash" + - "-ec" + - | + {{ template "traffic-engine.init" }} securityContext: privileged: true env: @@ -401,15 +405,6 @@ spec: fieldRef: fieldPath: status.hostIP volumeMounts: - - name: provisioninit - mountPath: "/opt/tsg/provision-init.sh" - subPath: "provision-init.sh" - - name: provisioninit - mountPath: "/opt/tsg/tfe/tfe-env-start.sh" - subPath: "tfe-env-start.sh" - - name: provisioninit - mountPath: "/opt/tsg/tfe/tfe-env-stop.sh" - subPath: "tfe-env-stop.sh" - name: config-volume mountPath: /target_config - name: localtime-node @@ -444,27 +439,23 @@ spec: - name: sce configMap: name: sce-{{ .Release.Name }} - - name: provisioninit - configMap: - defaultMode: 493 - name: provisioninit-{{ .Release.Name }} - name: config-volume emptyDir: {} - name: firewall-minidump hostPath: - path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-firewall:{{ .Values.image.proxy.tag | default .Chart.AppVersion }}/ + path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-firewall:{{ .Chart.AppVersion }}/ - name: proxy-minidump hostPath: - path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-proxy:{{ .Values.image.proxy.tag | default .Chart.AppVersion }}/ + path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-proxy:{{ .Chart.AppVersion }}/ - name: sce-minidump hostPath: - path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-sce:{{ .Values.image.sce.tag | default .Chart.AppVersion }}/ + path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-sce:{{ .Chart.AppVersion }}/ - name: bfdd-minidump hostPath: - path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-bfdd:{{ .Values.image.bfdd.tag | default .Chart.AppVersion }}/ + path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-bfdd:{{ .Chart.AppVersion }}/ - name: certstore-minidump hostPath: - path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-certstore:{{ .Values.image.proxy.tag | default .Chart.AppVersion }}/ + path: /var/crashreport/traffic-engine/traffic-engine-{{ .Release.Name }}/tsg-certstore:{{ .Chart.AppVersion }}/ - name: firewall-log hostPath: path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/sapp/