gfwleak/tsg-tsg-os-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature:DPISDN-60:Add containers and helmcharts dirs.

Browse Source
This commit is contained in:
fumingwei
2024-08-12 15:17:42 +08:00
parent 42b6354f0c
commit 456dd51649
103 changed files with 6101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
containers/Makefile Normal file
View File

@@ -0,0 +1,71 @@
export YUM_REPO_FILE
export IMAGE_TAG
BUILD_DIR := build
IMAGE_NAMES := $(shell find . -maxdepth 1 -type d ! -name "build" ! -name "." | sed 's|^\./||')
IMAGE_REGISTRY := registry.gdnt-cloud.website/tsg/os
IMAGE_TAR_DIR := $(BUILD_DIR)/images
ENV_FILES := $(BUILD_DIR)/IMAGE_TAG_$(IMAGE_TAG:/=_).env
ARCH := $(shell uname -m)
ifeq ($(ARCH),x86_64)
IMAGE_ARCH := amd64
else ifeq ($(ARCH),aarch64)
IMAGE_ARCH := arm64
else
IMAGE_ARCH := unknown
endif
define write_env_files
$(1):
mkdir -p $(BUILD_DIR); echo $(1) > $(1)
endef
DOCKERFILE_MACROS := dockerfile-macros.j2
BUILD_DONE_FILE := build.done
define build_rule
$(1): $(BUILD_DIR)/$(1)/$(BUILD_DONE_FILE)
$(BUILD_DIR)/$(1)/$(BUILD_DONE_FILE): $(shell find $(1) -type f) $(2)
@mkdir -p $(BUILD_DIR)/$(1)
@mkdir -p $(IMAGE_TAR_DIR)
$(3)
@echo done > $(BUILD_DIR)/$(1)/$(BUILD_DONE_FILE)
endef
define build_image_from_dockerfile
/usr/local/bin/j2 -f yaml $(1)/Dockerfile.j2 $(1)/manifest.yaml -o $(BUILD_DIR)/$(1)/Dockerfile
buildah build \
--volume /etc/hosts:/etc/hosts:ro \
--volume $(YUM_REPO_FILE):/etc/yum.conf:ro \
--volume $(YUM_REPO_FILE):/etc/dnf/dnf.conf:ro \
-f $(BUILD_DIR)/$(1)/Dockerfile \
--build-arg BASE_IMAGE=$(2) \
-t $(3) \
$(1)
endef
define download_image_tar_from_url
curl -f -u "${PULP_REPO_USERNAME}:${PULP_REPO_PASSWORD}" \
-o $(IMAGE_TAR_DIR)/prometheus-docker.tar \
https://repo.geedge.net/filerepo/install/release/tsg-container-images/$(1)
endef
.PHONY: all clean $(IMAGE_NAMES)
all: $(IMAGE_NAMES)
$(foreach name,$(IMAGE_NAMES),\
$(eval include $(name)/build.mk);\
$(eval $(call build_rule,$(rule_target),$(rule_prerequisites),$(rule_recipes))))
$(foreach file,$(ENV_FILES),$(eval $(call write_env_files,$(file))))
clean:
rm -rf $(BUILD_DIR)

46
containers/base/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,46 @@
{% import 'dockerfile-macros.j2' as macros -%}
ARG BASE_IMAGE
FROM ${BASE_IMAGE}
#RUN dnf -y upgrade --refresh rpm glibc && rm /var/lib/rpm/.rpm.lock && dnf -y upgrade dnf
RUN dnf -y update && \
dnf -y install tcpdump \
numactl-libs \
iproute \
iptables \
procps \
net-tools \
ethtool \
gdb \
ipmitool \
liburing \
vim \
lrzsz \
libnsl \
perf \
jq \
perl \
perl-open \
valgrind \
python2 \
js-d3-flame-graph \
python3 \
dnsutils \
wireshark \
crudini \
inotify-tools \
jemalloc \
pcre2 \
epel-release
RUN python2 -m pip install -i https://pypi.tuna.tsinghua.edu.cn/simple PrettyTable==0.7.2 && \
python3 -m pip install -i https://pypi.tuna.tsinghua.edu.cn/simple jinja2 prettytable tomlq toml sdnotify j2cli j2cli[yaml]
RUN {{ macros.install_packages(packages) }} && \
{{ macros.clean_after_install_packages() }}
COPY files/framework.conf /etc/ld.so.conf.d/
COPY files/framework.sh /etc/profile.d/
COPY --chmod=755 files/entrypoint_public.sh /usr/local/bin/
COPY templates/* /templates/

3
containers/base/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := base
rule_prerequisites := $(DEP_ENV_FILES) $(YUM_REPO_FILE) $(DOCKERFILE_MACROS)
rule_recipes := $(call build_image_from_dockerfile,$(rule_target),rockylinux:8,$(IMAGE_REGISTRY)/$(rule_target):$(IMAGE_TAG))

119
containers/base/files/entrypoint_public.sh Normal file
View File

@@ -0,0 +1,119 @@
#!/bin/sh
PRESTART_FILE="/opt/tsg/scripts/prestart.sh"
TEMPLATES_DIR="/templates"
VALUES_FILE="${TEMPLATES_DIR}/values.yaml"
IS_ENABLE_PRESTART="false"
IS_ENABLE_INTERACTIVE_STARTUP="false"
parse_args()
{
if [ $# -eq 0 ]; then
echo "No arguments provided, using default configs. Skipping..."
return
fi
PARSED_OPTIONS=$(getopt -o "" -l enable_prestart,enable_interactive_startup -- "$@")
if [ $? -ne 0 ]; then
echo "Failed to parse arguments."
exit 1
fi
eval set -- "$PARSED_OPTIONS"
while true; do
case "$1" in
--enable_prestart)
IS_ENABLE_PRESTART="true"
shift ;;
--enable_interactive_startup)
IS_ENABLE_INTERACTIVE_STARTUP="true"
shift ;;
--)
shift
break ;;
*)
echo "Unknown option $1"
break ;;
esac
done
}
enable_prestart()
{
if test -e ${PRESTART_FILE}; then
echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is:
cat ${PRESTART_FILE}
chmod 0755 ${PRESTART_FILE}; source ${PRESTART_FILE}
echo PRESTART.sh has been exec......
fi
}
enable_interactive_startup()
{
while true; do sleep 10; done
}
read_device_sn_from_k8s_node_info() {
local APISERVER=https://kubernetes.default.svc
local SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
local NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
local TOKEN=$(cat ${SERVICEACCOUNT}/token)
local CACERT=${SERVICEACCOUNT}/ca.crt
if [[ -z "$NODE_NAME" ]]; then
>&2 echo "env NODE_NAME is not set or empty!"
return 1
fi
local OUTPUT_FILE="/tmp/node-${NODE_NAME}.json"
curl --silent --fail --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
-X GET ${APISERVER}/api/v1/nodes/${NODE_NAME} \
-o ${OUTPUT_FILE}
if [[ $? -ne 0 ]]; then
>&2 echo "Failed to retrieve node information!"
return 1
fi
local DEVICE_SN=$(cat ${OUTPUT_FILE} | jq -r '.metadata.annotations."tsg-os/device-sn"')
if [[ -z "$DEVICE_SN" || "$DEVICE_SN" == "null" ]]; then
>&2 echo "Device SN not found!"
return 1
fi
echo "$DEVICE_SN"
}
render_template() {
local template_file=$1
local output_file=$2
/usr/local/bin/j2 -f yaml ${TEMPLATES_DIR}/${template_file} ${VALUES_FILE} -o ${output_file}
}
read_nodeport_from_service() {
local service_name=$1
local service_namespace=$2
local service_domain=${service_name}.${service_namespace}.svc
until nslookup ${service_domain} >&2; do
>&2 echo "waiting for service: ${service_domain}."
sleep 2
done
local APISERVER=https://kubernetes.default.svc
local SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
local NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
local TOKEN=$(cat ${SERVICEACCOUNT}/token)
local CACERT=${SERVICEACCOUNT}/ca.crt
curl --silent --fail --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
-X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${service_name} \
-o /tmp/service.txt
local nodeport=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort')
echo ${nodeport}
}

1
containers/base/files/framework.conf Normal file
View File

@@ -0,0 +1 @@
/opt/tsg/framework/lib/

1
containers/base/files/framework.sh Normal file
View File

@@ -0,0 +1 @@
export PATH=/opt/tsg/framework/bin:$PATH

130
containers/base/manifest.yaml Normal file
View File

@@ -0,0 +1,130 @@
packages:
- name: libcjson
version: 1.7.12.6c09dcf
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libdocumentanalyze
version: 2.0.11.719a8ff
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libMESA_field_stat
version: 1.0.3.0de785d
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libMESA_field_stat2
version: 2.10.11.b2095aa
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libMESA_handle_logger
version: 2.0.12.1dd9e1e
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libMESA_htable
version: 3.10.13.bd6fc34
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libMESA_prof_load
version: 1.0.9.16148e7
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: librulescan
version: 3.0.1.6145620
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libelua
version: 2.0.1.7760c27
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libwiredcfg
version: 2.0.8.cafaf49
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libWiredLB
version: 2.0.6.54a039d
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libbreakpad_mini
version: 1.0.9.9d98968
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libMV_Sketch
version: 2.1.3.20231215.19725c6
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: librdkafka
version: 1.2.2.1218b3c
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libMESA_jump_layer
version: 1.0.10.6fb4738
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libswarmkv
version: 4.4.4.5c89f35
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libfieldstat3
version: 3.1.1.03491ea
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libMESA_sts
version: 1.0.3.d515a96
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libfieldstat4
version: 4.6.6.2d9b9cd
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libipfix_exporter
version: 1.0.6.0e73c24
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libosfp
version: 1.3.11.d8c406f
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: utable
version: 1.0.11.f3db4a4
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libmaatframe
version: 4.2.1.4fddb2b
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libcbd
version: 3.1.1.c3767f2
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: libdos_protector
version: 3.2.3.07c2e54
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: hasp-tools
version: 1.0.12.66db85d
install_command: dnf
dnf_command_options: "--nogpgcheck"

93
containers/base/templates/macros.j2 Normal file
View File

@@ -0,0 +1,93 @@
{# macros.j2 #}
{% macro cm_address(cm) -%}
{%- if cm.connectivity == "direct" -%}
{{ cm.direct.address }}
{%- elif cm.connectivity == "builtin" -%}
tsg-cm.tsg-os-system.svc
{%- else -%}
{{ cm.local_cache.cache_name ~ "-redis-master.tsg-os-system.svc" }}
{%- endif %}
{%- endmacro %}
{% macro cm_port(cm) -%}
{%- if cm.connectivity == "direct" -%}
{{ cm.direct.port }}
{%- elif cm.connectivity == "builtin" -%}
7002
{%- else -%}
6379
{%- endif %}
{%- endmacro %}
{% macro address_port_pairs_render(source, separator) -%}
{%- set addresses = [] -%}
{%- if source -%}
{%- for item in source -%}
{%- set address = item.address ~ ":" ~ item.port -%}
{%- do addresses.append(address) -%}
{%- endfor -%}
{{ addresses | join(separator) }}
{%- endif %}
{%- endmacro %}
{% macro sd_address(sd) -%}
{%- if sd.enable is defined and sd.enable == True -%}
{%- if sd.connectivity == "direct" -%}
{{ sd.direct.address }}
{%- else -%}
{{ sd.local_cache.cache_name ~ "-redis-master.tsg-os-system.svc" }}
{%- endif %}
{%- endif %}
{%- endmacro %}
{% macro sd_port(sd) -%}
{%- if sd.enable is defined and sd.enable == True -%}
{%- if sd.connectivity == "direct" -%}
{{ sd.direct.port }}
{%- else -%}
6379
{%- endif %}
{%- endif %}
{%- endmacro %}
{% macro device_tag_list(device) -%}
{%- set tags_list = [] -%}
{%- if device.tag is defined and device.tag %}
{%- for tag in device.tag %}
{%- for key, val in tag.items() %}
{%- set tag_json = '{"tag":"' ~ key ~ '","value":"' ~ val ~ '"}' -%}
{%- do tags_list.append(tag_json) -%}
{%- endfor %}
{%- endfor %}
{%- endif %}
{{ tags_list | join(',') }}
{%- endmacro %}
{% macro safe_read(data, path) -%}
{%- set keys = path.split('.') %}
{%- set ns = namespace(value=data) %}
{%- for key in keys %}
{%- if ns.value is mapping and key in ns.value %}
{%- set ns.value = ns.value[key] %}
{%- else %}
{%- set ns.value = None %}
{%- break %}
{%- endif %}
{%- endfor %}
{{- ns.value if ns.value is not none else '' }}
{%- endmacro %}
{# ref a.b.c.d using safe_read(a, "b.c.d") #}
{% macro read_device_tag_value(device, key) -%}
{%- set ns = namespace(value='') %}
{%- if device.tag is defined and device.tag %}
{%- for tag in device.tag %}
{%- if tag is mapping and key in tag %}
{%- set ns.value = tag[key] %}
{%- break %}
{%- endif %}
{%- endfor %}
{%- endif %}
{{- ns.value if ns.value is not none else '' }}
{%- endmacro %}

3
containers/base/templates/tsg_device_tag.json.j2 Normal file
View File

@@ -0,0 +1,3 @@
{% import '/templates/macros.j2' as macros -%}
[MAAT]
ACCEPT_TAGS={"tags":[{{ macros.device_tag_list(device) }}]}

51
containers/dockerfile-macros.j2 Normal file
View File

@@ -0,0 +1,51 @@
{#
packages:
- name: example
version: 1.1.1
# url: https://www.example.com/download/test.rpm
download_command: dnf/curl
download_command_options: "--downloadonly --downloaddir /tmp/rpms_download"
download_command_override: "override the download command."
install_command: dnf/rpm
install_command_options: "--prefix /opt/tsg/framework"
install_command_override: "override the install command"
#}
{% macro install_packages(packages) -%}
{%- set generated_commands = [] -%}
{%- for item in packages if item.name and item.version -%}
{%- set rpm_version = item.name ~ "-" ~ item.version -%}
{%- if item.download_command_override is defined and item.download_command_override -%}
{%- do generated_commands.append(item.download_command_override) -%}
{%- else %}
{%- set command = '' %}
{%- if item.download_command is defined and item.download_command == "curl" %}
{%- set command = item.download_command ~ " " ~ item.curl ~ " " ~ (item.download_command_options | default('')) -%}
{%- endif %}
{%- if item.download_command is defined and item.download_command == "dnf" %}
{%- set command = item.download_command ~ " install -y --downloadonly --downloaddir /tmp/download " ~ rpm_version ~ " " ~ (item.download_command_options | default('')) -%}
{%- endif %}
{%- do generated_commands.append(command) if command -%}
{%- endif %}
{%- if item.install_command_override is defined and item.install_command_override -%}
{%- do generated_commands.append(item.install_command_override) -%}
{%- else %}
{%- set command = '' %}
{%- if item.install_command is defined and item.install_command == "dnf" %}
{%- set command = item.install_command ~ " install -y " ~ rpm_version ~ " " ~ (item.install_command_options | default('')) -%}
{%- endif %}
{%- if item.install_command is defined and item.install_command == "rpm" %}
{%- set command = item.install_command ~ " -ivh " ~ "/tmp/download/" ~ rpm_version ~ "* " ~ (item.install_command_options | default('')) -%}
{%- endif %}
{%- do generated_commands.append(command) if command -%}
{%- endif %}
{%- endfor -%}
{{ generated_commands | join(' && \\\n ') }}
{%- endmacro %}
{% macro clean_after_install_packages() -%}
{%- set generated_commands = [] -%}
{%- do generated_commands.append("rm -rf /tmp/download") -%}
{%- do generated_commands.append("dnf clean all") -%}
{{ generated_commands | join(' && \\\n ') }}
{%- endmacro %}

27
containers/firewall/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,27 @@
{% import 'dockerfile-macros.j2' as macros -%}
ARG BASE_IMAGE
FROM ${BASE_IMAGE}
RUN {{ macros.install_packages(packages) }} && \
{{ macros.clean_after_install_packages() }} && \
rm -rf /opt/tsg/sapp/r2 && \
rm -rf /opt/tsg/sapp/r3
# files
COPY files/quic/main.conf /opt/tsg/sapp/conf/quic/main.conf
COPY files/asymmetric_addr_layer.conf /opt/tsg/sapp/etc/
COPY files/entrylist.conf /opt/tsg/sapp/etc/
COPY files/firewall_l7_protocol.conf /opt/tsg/sapp/tsgconf/
COPY files/http.conf /opt/tsg/sapp/conf/http/
COPY files/necessary_plug_list.conf /opt/tsg/sapp/etc/
COPY files/project_list.conf /opt/tsg/sapp/etc/
COPY files/sapp_log.conf /opt/tsg/sapp/etc/
COPY files/vlan_flipping_map.conf /opt/tsg/sapp/etc/
COPY files/well_known_port.conf /opt/tsg/sapp/etc/
# templates
COPY templates/* /templates/
# scripts
COPY --chmod=755 entrypoint.sh /usr/local/bin/
WORKDIR /opt/tsg/sapp
CMD ["/bin/bash"]

3
containers/firewall/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := firewall
rule_prerequisites := $(DEP_ENV_FILES) $(YUM_REPO_FILE) $(DOCKERFILE_MACROS) $(BUILD_DIR)/base/$(BUILD_DONE_FILE)
rule_recipes := $(call build_image_from_dockerfile,$(rule_target),$(IMAGE_REGISTRY)/base:$(IMAGE_TAG),$(IMAGE_REGISTRY)/$(rule_target):$(IMAGE_TAG))

88
containers/firewall/entrypoint.sh Normal file
View File

@@ -0,0 +1,88 @@
#!/bin/sh -ex
source /usr/local/bin/entrypoint_public.sh
IS_ENABLE_DOS_PROTECTOR="false"
parse_args()
{
if [ $# -eq 0 ]; then
echo "No arguments provided, using default configs. Skipping..."
return
fi
PARSED_OPTIONS=$(getopt -o "" -l enable_prestart,enable_interactive_startup,enable_dos_protector -- "$@")
if [ $? -ne 0 ]; then
echo "Failed to parse arguments."
exit 1
fi
eval set -- "$PARSED_OPTIONS"
while true; do
case "$1" in
--enable_prestart)
IS_ENABLE_PRESTART="true"
shift ;;
--enable_interactive_startup)
IS_ENABLE_INTERACTIVE_STARTUP="true"
shift ;;
--enable_dos_protector)
IS_ENABLE_DOS_PROTECTOR="true"
shift ;;
--)
shift
break ;;
*)
echo "Unknown option: $1"
break ;;
esac
done
}
enable_dos_protector()
{
local podname=${HOSTNAME}
local CLUSTER_ANNOUNCE_PORT=$(read_nodeport_from_service ${podname}-8551 default)
local HEALTH_CHECK_ANNOUNCE_PORT=$(read_nodeport_from_service ${podname}-8552 default)
sed -Ei -c "s|NODE_IP_LOCATION|${NODE_IP?}|g" /opt/tsg/sapp/tsgconf/main.conf
sed -Ei -c "s|CLUSTER_ANNOUNCE_PORT_LOCATION|${CLUSTER_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf
sed -Ei -c "s|HEALTH_CHECK_ANNOUNCE_PORT_LOCATION|${HEALTH_CHECK_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf
}
# start
ldconfig
parse_args "$@"
mkdir -p /opt/tsg/etc/
render_template conflist.inf.j2 /opt/tsg/sapp/plug/conflist.inf
render_template firewall_logger_transmitter_schema.json.j2 /opt/tsg/sapp/tsgconf/firewall_logger_transmitter_schema.json
render_template firewall.inf.j2 /opt/tsg/sapp/plug/business/firewall/firewall.inf
render_template gdev.conf.j2 /opt/tsg/sapp/etc/gdev.conf
render_template http_main.conf.j2 /opt/tsg/sapp/conf/http/http_main.conf
render_template maat.conf.j2 /opt/tsg/sapp/tsgconf/maat.conf
render_template mail.conf.j2 /opt/tsg/sapp/conf/mail/mail.conf
render_template main.conf.j2 /opt/tsg/sapp/tsgconf/main.conf
render_template sapp.toml.j2 /opt/tsg/sapp/etc/sapp.toml
render_template send_raw_pkt.conf.j2 /opt/tsg/sapp/etc/send_raw_pkt.conf
render_template spec.toml.j2 /opt/tsg/sapp/stellar_plugin/spec.toml
render_template ssl_main.conf.j2 /opt/tsg/sapp/conf/ssl/ssl_main.conf
render_template tsg_device_tag.json.j2 /opt/tsg/etc/tsg_device_tag.json
DEVICE_SN=$(read_device_sn_from_k8s_node_info)
echo "{\"sn\": \"$DEVICE_SN\"}" > /opt/tsg/etc/tsg_sn.json
if [ ${IS_ENABLE_DOS_PROTECTOR} == "true" ]; then
enable_dos_protector
fi
if [ ${IS_ENABLE_PRESTART} == "true" ]; then
enable_prestart
fi
if [ ${IS_ENABLE_INTERACTIVE_STARTUP} == "true" ]; then
enable_interactive_startup
fi
exec /opt/tsg/sapp/sapp

9
containers/firewall/files/asymmetric_addr_layer.conf Normal file
View File

@@ -0,0 +1,9 @@
#layer name definition: ipv4, ipv6, ethernet,vlan, arp, gre, mpls, pppoe, tcp, udp, l2tp, ppp, pptp, gtp
#pattern: asymmetric_layer_name[layer index]
#The symbol "*" represents any layer
ethernet[*]
vlan[*]
vxlan[*]
mpls[*]
gre[*]
gtp[*]

24
containers/firewall/files/entrylist.conf Normal file
View File

@@ -0,0 +1,24 @@
IP
IPV6
IPV6_RAW
TCP_ALL
TCP
UDP
PHONY
POLLING
IPSEC
L2TP
PPTP
DNS
QUIC
HTTP
MAIL
FTP
SSL
RTP
SIP
SSH
SOCKS
STRATUM
RDP
DTLS

61
containers/firewall/files/firewall_l7_protocol.conf Normal file
View File

@@ -0,0 +1,61 @@
#TYPE:1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET
#TYPE FIELD VALUE
#STRING UNCATEGORIZED 8000
#STRING UNCATEGORIZED 8001
#STRING UNKNOWN_OTHER 8002
STRING DNS 32
STRING FTP 45
STRING FTPS 751
STRING HTTP 67
STRING HTTPS 68
STRING ICMP 70
STRING IKE 8003
STRING MAIL 8004
STRING IMAP 75
STRING IMAPS 76
STRING IPSEC 85
STRING XMPP 94
STRING L2TP 98
STRING NTP 137
STRING POP3 147
STRING POP3S 148
STRING PPTP 153
STRING QUIC 2521
STRING SIP 182
STRING SMB 185
STRING SMTP 186
STRING SMTPS 187
STRING SPDY 1469
STRING SSH 198
STRING SSL 199
STRING SOCKS 8005
STRING TELNET 209
STRING DHCP 29
STRING RADIUS 158
STRING OPENVPN 336
STRING STUN 201
STRING TEREDO 555
STRING DTLS 1291
STRING DoH 8006
STRING ISAKMP 92
STRING MDNS 3835
STRING NETBIOS 129
STRING NETFLOW 130
STRING RDP 159
STRING RTCP 174
STRING RTP 175
STRING SLP 8007
STRING SNMP 190
STRING SSDP 197
STRING TFTP 211
STRING BJNP 2481
STRING LDAP 100
STRING RTMP 337
STRING RTSP 176
STRING ESNI 8008
STRING Stratum 8169
STRING QQ 156
STRING WeChat 1296
STRING WIREGUARD 3700
STRING MMS 115
STRING RSYNC 173

43
containers/firewall/files/http.conf Normal file
View File

@@ -0,0 +1,43 @@
#http_special
#all regions
1 HTTP_ALL
2 HTTP_OTHER_REGIONS
#http state
3 HTTP_STATE
4 HTTP_REQ_LINE
5 HTTP_RES_LINE
6 HTTP_CONTENT
7 HTTP_UNGZIP_CONTENT
8 HTTP_MESSAGE_URL
9 HTTP_URI
#http_request
10 HTTP_HOST
11 HTTP_REFERER
12 HTTP_USER_AGENT
13 HTTP_COOKIE
14 HTTP_PROXY_AUTHORIZATION
15 HTTP_AUTHORIZATION
#http_response
16 HTTP_LOCATION
17 HTTP_SERVER
18 HTTP_ETAG
#http_general
19 HTTP_DATE
20 HTTP_TRAILER
21 HTTP_TRANSFER_ENCODING
22 HTTP_VIA
23 HTTP_PRAGMA
24 HTTP_CONNECTION
#http_content
25 HTTP_CONT_ENCODING
26 HTTP_CONT_LANGUAGE
27 HTTP_CONT_LOCATION
28 HTTP_CONT_DISPOSITION
29 HTTP_CONT_RANGE
30 HTTP_CONT_LENGTH
31 HTTP_CONT_TYPE
32 HTTP_CHARSET
33 HTTP_EXPIRES
34 HTTP_X_FLASH_VERSION
35 HTTP_TRANSFER_LENGTH
36 Set-Cookie

22
containers/firewall/files/necessary_plug_list.conf Normal file
View File

@@ -0,0 +1,22 @@
#以下插件如果加载,初始化失败, sapp平台会退出;
#插件的路径来自配置文件 ./plug/conflist.inf, 不需要加段落标识[platform],[protocol],[business]等.
#If the following plugins fail to initialize, the sapp platform will exit.
#The name of the plugin comes from the configuration ./plug/conflist.inf, section identification is not required.
./plug/protocol/sip/sip.inf
./plug/protocol/rtp/rtp.inf
./plug/protocol/ssl/ssl.inf
./plug/protocol/ssh/ssh.inf
./plug/protocol/http/http.inf
./plug/protocol/dns/dns.inf
./plug/protocol/mail/mail.inf
./plug/protocol/ftp/ftp.inf
./plug/protocol/quic/quic.inf
./plug/protocol/rdp/rdp.inf
./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
./plug/business/kni/kni.inf
./plug/business/conn_telemetry/conn_telemetry.inf
./plug/business/http_healthcheck/http_healthcheck.inf
./plug/platform/tsg_ddos_sketch/tsg_ddos_sketch.inf 1
./plug/business/firewall/firewall.inf
./plug/stellar_on_sapp/start_loader.inf
./plug/stellar_on_sapp/defer_loader.inf

20
containers/firewall/files/project_list.conf Normal file
View File

@@ -0,0 +1,20 @@
tcp_flow_stat struct
udp_flow_stat struct
tcp_deduce_flow_stat struct
POLICY_PRIORITY struct
ESTABLISH_LATENCY long
MAIL_IDENTIFY int
TSG_MASTER_INTERNAL_LABEL struct
APP_ID_LABEL struct
BASIC_PROTO_LABEL struct
USER_DEFINED_ATTRIBUTE struct
SKETCH_TRANS_LAYER_CTX_LABEL struct
SKETCH_PROTO_CTX_LABEL struct
common_link_info_c2s struct
common_link_info_s2c struct
common_link_info struct
JA3_FINGERPRINT_LABEL struct
DKPT_PRO_V2 struct
DPKT_PROJECT_V2 struct
PPROJECT_PRO_V2 struct
DPKT_BHSTAT_PROJECT struct

2
containers/firewall/files/quic/main.conf Normal file
View File

@@ -0,0 +1,2 @@
[QUIC]
QUIC_PORT_LIST=443;8443;4433;

18
containers/firewall/files/sapp_log.conf Normal file
View File

@@ -0,0 +1,18 @@
[global]
default format = "%d(%c), %V, %U, %m%n"
rotate lock file = /tmp/sapp_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
STOP=40
[formats]
other = "%d(%c), %V, %F, %U, %m%n"
plugin = "%d(%c), %m%n"
[rules]
sapp_log.fatal "./log/runtimelog.%d(%F)", 500M ~ "./log/runtimelog.%d(%F).#2s"
sapp_plugin_log.fatal >stdout; plugin
sapp_plugin_log.info "./log/plugin.log.%d(%F)", 500M ~ "./log/plugin.log.%d(%F).#2s"; plugin
sapp_process_latency_log.fatal "./log/sapp_process_latency.log.%d(%F)", 500M ~ "./log/sapp_process_latency.log.%d(%F).#2s"
!.fatal "./log/%c.%d(%F)", 500M ~ "./log/%c.%d(%F).#2s"; other

104
containers/firewall/files/vlan_flipping_map.conf Normal file
View File

@@ -0,0 +1,104 @@
#for inline a device vlan flipping
#数据包来自C路由器端, 即C2I(I2E)方向,
#数据包来自I路由器端, 即I2C(E2I)方向,
#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计,
#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了.
#配置文件格式, pattern:
#来自C路由器vlan_id 来自I路由器vlan_id 是否开启mac地址翻转
#C_rout r_vlan_id I_router_vlan_id mac_flipping_enable
1000 1001 0
1002 1003 0
1004 1005 0
1006 1007 0
1008 1009 0
1010 1011 0
1012 1013 0
1014 1015 0
1016 1017 0
1018 1019 0
1020 1021 0
1022 1023 0
1024 1025 0
1026 1027 0
1028 1029 0
1030 1031 0
1032 1033 0
1034 1035 0
1036 1037 0
1038 1039 0
1040 1041 0
1042 1043 0
1044 1045 0
1046 1047 0
1048 1049 0
1050 1051 0
1052 1053 0
1054 1055 0
1056 1057 0
1058 1059 0
1060 1061 0
1062 1063 0
1064 1065 0
1066 1067 0
1068 1069 0
1070 1071 0
1072 1073 0
1074 1075 0
1076 1077 0
1078 1079 0
1080 1081 0
1082 1083 0
1084 1085 0
1086 1087 0
1088 1089 0
1090 1091 0
1092 1093 0
1094 1095 0
1096 1097 0
1098 1099 0
1100 1101 0
1102 1103 0
1104 1105 0
1106 1107 0
1108 1109 0
1110 1111 0
1112 1113 0
1114 1115 0
1116 1117 0
1118 1119 0
1120 1121 0
1122 1123 0
1124 1125 0
1126 1127 0
4000 4001 0
4002 4003 0
4004 4005 0
4006 4007 0
4008 4009 0
4010 4011 0
4012 4013 0
4014 4015 0
4016 4017 0
4018 4019 0
4020 4021 0
4022 4023 0
4024 4025 0
4026 4027 0
4028 4029 0
4030 4031 0
4032 4033 0
4034 4035 0
4036 4037 0
4038 4039 0
4040 4041 0
4042 4043 0
4044 4045 0
4046 4047 0
4048 4049 0
4050 4051 0
4052 4053 0
4054 4055 0
4056 4057 0
4058 4059 0
4060 4061 0
4062 4063 0

9
containers/firewall/files/well_known_port.conf Normal file
View File

@@ -0,0 +1,9 @@
# The following ports are considered as server, when creating a new UDP stream or TCP stream without SYN(SYN/ACK) packet.
# You can add other ports according to your needs.
[TCP]
#http
8080
[UDP]
#OICQ
8000

131
containers/firewall/manifest.yaml Normal file
View File

@@ -0,0 +1,131 @@
packages:
- name: sapp-pr
version: 4.3.67.07feab9
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: tcpdump_mesa
version: 1.0.13.6ec67f5
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/framework"
- name: conn_telemetry
version: 1.0.3.4ef6df6
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: firewall
version: 3.5.1.d5e256a
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg"
- name: glimpse_detector
version: 3.2.0.0069e3b
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: qdpi_detector
version: 5.0.2.90682ec
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: dns
version: 2.1.7.1da8dfa
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: ftp
version: 1.0.16.d996236
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: http
version: 2.0.20.0571d0b
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: mail
version: 1.0.22.431a81f
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: quic
version: 2.0.11.1ab2559
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: ssl
version: 3.2.0.93d17f6
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: rtp
version: 1.0.7.530ac76
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: ssh
version: 2.1.7.b053e65
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: dtls
version: 2.0.5.a559144
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: mesa_sip
version: 2.1.1.6504027
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: deal_socks
version: 1.0.4.329bba3
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: stratum
version: 1.1.3.82ba152
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: rdp
version: 1.0.3.f392ffd
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: session_flags
version: 2.4.0.579bcde
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: stat_policy_enforcer
version: 3.5.1.3a39801
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: sf_classifier
version: 2.2.0.1f91efa
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: stellar-on-sapp
version: 2.1.7.4e4f933
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg"
- name: policy_sketch
version: 1.2.0.43bd6ec
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: traffic_sketch
version: 1.1.5.a38497d
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"
- name: http_healthcheck
version: 2.0.2.969442a
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/sapp"

54
containers/firewall/templates/conflist.inf.j2 Normal file
View File

@@ -0,0 +1,54 @@
[platform]
./plug/stellar_on_sapp/start_loader.inf
[protocol]
{%- if decoders.SOCKS == True %}
./plug/protocol/deal_socks/deal_socks.inf
{%- endif %}
{%- if decoders.SIP == True %}
./plug/protocol/sip/sip.inf
{%- endif %}
{%- if decoders.RTP == True %}
./plug/protocol/rtp/rtp.inf
{%- endif %}
{%- if decoders.SSL == True %}
./plug/protocol/ssl/ssl.inf
{%- endif %}
{%- if decoders.HTTP == True %}
./plug/protocol/http/http.inf
{%- endif %}
{%- if decoders.DNS == True %}
./plug/protocol/dns/dns.inf
{%- endif %}
{%- if decoders.MAIL == True %}
./plug/protocol/mail/mail.inf
{%- endif %}
{%- if decoders.FTP == True %}
./plug/protocol/ftp/ftp.inf
{%- endif %}
{%- if decoders.QUIC == True %}
./plug/protocol/quic/quic.inf
{%- endif %}
./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
{%- if decoders.SSH == True %}
./plug/protocol/ssh/ssh.inf
{%- endif %}
{%- if decoders.STRATUM == True %}
./plug/protocol/stratum/stratum.inf
{%- endif %}
{%- if decoders.RDP == True %}
./plug/protocol/rdp/rdp.inf
{%- endif %}
{%- if decoders.DTLS == True %}
./plug/protocol/dtls/dtls.inf
{%- endif %}
[business]
{%- if firewall.enable == True %}
./plug/business/firewall/firewall.inf
{%- endif %}
./plug/stellar_on_sapp/defer_loader.inf
./plug/business/http_healthcheck/http_healthcheck.inf
{%- if decoders.SSL == True %}
./plug/protocol/ssl/ssl_defer.inf
{%- endif %}

77
containers/firewall/templates/firewall.inf.j2 Normal file
View File

@@ -0,0 +1,77 @@
[PLUGINFO]
PLUGNAME=FIREWEALL
SO_PATH=./plug/business/firewall/firewall.so
INIT_FUNC=firewall_init
DESTROY_FUNC=firewall_destory
{%- if decoders.HTTP == True %}
[HTTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_http_plug_entry
{%- endif %}
{%- if decoders.SSL == True %}
[SSL]
FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL
FUNC_NAME=firewall_ssl_plug_entry
{%- endif %}
{%- if decoders.DNS == True %}
[DNS]
FUNC_FLAG=ALL
FUNC_NAME=firewall_dns_plug_entry
{%- endif %}
{%- if decoders.MAIL == True %}
[MAIL]
FUNC_FLAG=ALL
FUNC_NAME=firewall_mail_plug_entry
{%- endif %}
{%- if decoders.RTP == True %}
[RTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_rtp_plug_entry
{%- endif %}
{%- if decoders.SIP == True %}
[SIP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_sip_plug_entry
{%- endif %}
{%- if decoders.FTP == True %}
[FTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_ftp_plug_entry
{%- endif %}
{%- if decoders.QUIC == True %}
[QUIC]
FUNC_FLAG=QUIC_CLIENT_HELLO,QUIC_SERVER_HELLO,QUIC_CACHED_CERT,QUIC_COMM_CERT,QUIC_CERT_CHAIN,QUIC_VERSION,QUIC_APPLICATION_DATA
FUNC_NAME=firewall_quic_plug_entry
{%- endif %}
{%- if decoders.DTLS == True %}
[DTLS]
FUNC_FLAG=ALL
FUNC_NAME=firewall_dtls_plug_entry
{%- endif %}
{%- if decoders.STRATUM == True %}
[STRATUM]
FUNC_FLAG=ALL
FUNC_NAME=firewall_stratum_plug_entry
{%- endif %}
{%- if decoders.RDP == True %}
[RDP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_rdp_plug_entry
{%- endif %}
{%- if decoders.SSH == True %}
[SSH]
FUNC_FLAG=ALL
FUNC_NAME=firewall_ssh_plug_entry
{%- endif %}

379
containers/firewall/templates/firewall_logger_transmitter_schema.json.j2 Normal file
View File

@@ -0,0 +1,379 @@
{% import '/templates/macros.j2' as macros -%}
{
{%- if firewall.logs.enable == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"channel_list": [
{%- if external_resources.olap.udp_collectors.enable == True %}
{
"channel": "udpsock",
"collector": "{{ macros.address_port_pairs_render(external_resources.olap.udp_collectors.addresses,",") }}"
},
{%- endif %}
{
"channel": "kafka",
"broker_list": "{{ macros.address_port_pairs_render(external_resources.olap.kafka_brokers.addresses,",") }}",
"sasl_username": "{{ macros.safe_read(external_resources,"olap.kafka_brokers.sasl_username") }}",
"sasl_password": "{{ macros.safe_read(external_resources,"olap.kafka_brokers.sasl_password") }}",
"compression": "snappy",
"refresh_interval_ms": "600000",
"send_queue_max_msg": "1000000",
"required_acks": "1"
}
],
"format_list": [
"json",
"ipfix",
"mpack"
],
"ringbuff": {
"size": {{ firewall.logs.ringbuf.size }},
"num": 2
},
"transmitter_list": [
{%- if external_resources.olap.udp_collectors.enable == True %}
{
"switch": "on",
"async": "off",
"name": "IPFIX-TEMPLATE",
"topic": "IPFIX-TEMPLATE",
"mode": [
{
"channel": "udpsock",
"format": [
"ipfix"
]
}
]
},
{%- endif %}
{
{%- if session_record.enable == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "SESSION-RECORD",
"topic": "SESSION-RECORD",
"client_id": "SESSION-RECORD",
"mode": [
{%- if external_resources.olap.udp_collectors.enable == True %}
{
"channel": "udpsock",
"format": [
"ipfix"
]
},
{%- endif %}
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{%- if transaction_record.enable_http == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "HTTP-TRANSACTION-RECORD",
"topic": "TRANSACTION-RECORD",
"client_id": "TRANSACTION-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{%- if transaction_record.enable_mail == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "MAIL-TRANSACTION-RECORD",
"topic": "TRANSACTION-RECORD",
"client_id": "TRANSACTION-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{%- if transaction_record.enable_dns == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "DNS-TRANSACTION-RECORD",
"topic": "TRANSACTION-RECORD",
"client_id": "TRANSACTION-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{%- if voip_record.enable_sip == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "SIP-VOIP-RECORD",
"topic": "VOIP-RECORD",
"client_id": "VOIP-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{%- if voip_record.enable_rtp == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "RTP-VOIP-RECORD",
"topic": "VOIP-RECORD",
"client_id": "VOIP-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
{%- if file_stream_record.enable == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "POLICY-PACKET-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-POLICY-CAPTURE-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-POLICY-CAPTURE-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{%- if file_stream_record.enable == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "HTTP-REQ-BODY-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-HTTP-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-HTTP-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{%- if file_stream_record.enable == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "HTTP-RES-BODY-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-HTTP-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-HTTP-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{%- if file_stream_record.enable == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "MAIL-EML-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-EML-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-EML-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{%- if file_stream_record.enable == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "RTP-PACKET-TRAFFIC-FILE-STREAM-RECORD",
"topic": "TRAFFIC-RTP-FILE-STREAM-RECORD",
"client_id": "TRAFFIC-RTP-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
{%- if packet_capture.enable == True %}
"switch": "on",
{%- else %}
"switch": "off",
{%- endif %}
"async": "on",
"name": "TROUBLESHOOTING-FILE-STREAM-RECORD",
"topic": "TROUBLESHOOTING-FILE-STREAM-RECORD",
"client_id": "TROUBLESHOOTING-FILE-STREAM-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"mpack"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "DOS-SKETCH-RECORD",
"topic": "DOS-SKETCH-RECORD",
"client_id": "DOS-SKETCH-RECORD",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "POLICY-RULE-METRIC",
"topic": "POLICY-RULE-METRIC",
"client_id": "POLICY-RULE-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "NETWORK-TRAFFIC-METRIC",
"topic": "NETWORK-TRAFFIC-METRIC",
"client_id": "NETWORK-TRAFFIC-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "TRAFFIC-TOP-METRIC",
"topic": "TRAFFIC-TOP-METRIC",
"client_id": "TRAFFIC-TOP-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "STATISTICS-RULE-METRIC",
"topic": "STATISTICS-RULE-METRIC",
"client_id": "STATISTICS-RULE-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
},
{
"switch": "on",
"async": "off",
"name": "OBJECT-STATISTICS-METRIC",
"topic": "OBJECT-STATISTICS-METRIC",
"client_id": "OBJECT-STATISTICS-METRIC",
"mode": [
{
"channel": "kafka",
"format": [
"json"
]
}
]
}
]
}

6
containers/firewall/templates/gdev.conf.j2 Normal file
View File

@@ -0,0 +1,6 @@
{% import '/templates/macros.j2' as macros -%}
[Module]
pcapdevice={{ nic_raw_name }}
sendto_gdev_card={{ nic_raw_name }}
sendto_gdev_ip={{ macros.safe_read(etherfabric_settings,"keepalive.ip") }}
gdev_status_switch=1

37
containers/firewall/templates/http_main.conf.j2 Normal file
View File

@@ -0,0 +1,37 @@
[FUNCTION]
switch_no_biz=1
#0 means close stat
stat_cycle=0
#stat output screen 0: screen 1: file
stat_screen_print=0
stat_file=./log/http/http_stat.log
#ungzip
{%- if decoders.HTTP_GZIP == True %}
ungzip_switch=1
{%- else %}
ungzip_switch=0
{%- endif %}
#support proxy
proxy_switch=1
#single-way traffic need http session num, 0 means no this function
singleway_maxseq=2
#0: field callback mode(default) 1:batch callback mode
callback_mode=0
#batch field maxnum when http_all or http_other
batch_field_maxnum=32
#check HEAD when s2c one-way
s2c_head_check_switch=1
[LOG]
#FATAL:wrong info
#INFO: lostlen; special proc ;proxy info
#DEBUG: pending and close info; all url;
log_level=30
log_path=./log/http/runtime

42
containers/firewall/templates/maat.conf.j2 Normal file
View File

@@ -0,0 +1,42 @@
{% import '/templates/macros.j2' as macros -%}
[CM_STATIC_MAAT]
###file, json, redis
MAAT_MODE=redis
STAT_SWITCH=1
PERF_SWITCH=0
HIT_GROUP_SWITCH=1
TABLE_INFO=tsgconf/firewall_cm_maat_tableinfo.json
STAT_FILE=metrics/firewall_cm_maat_stat.json
EFFECT_INTERVAL_MS=1000
GARBAGE_COLLECT_MS=60000
RULE_UPDATE_CHECK_INTERVAL_MS=1000
REDIS_IP={{ macros.cm_address(external_resources.cm) }}
REDIS_PORT={{ macros.cm_port(external_resources.cm) }}
REDIS_INDEX={{ vsys_id }}
JSON_CFG_FILE=tsgconf/firewall_cm_maat_rule.json
INC_CFG_DIR=tsgrule/inc/index/
FULL_CFG_DIR=tsgrule/full/index/
EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
LOG_PATH="log/firewall.cm.maat"
[SD_DYNAMIC_MAAT]
MAAT_MODE=redis
STAT_SWITCH=1
PERF_SWITCH=1
TABLE_INFO=tsgconf/firewall_sd_maat_tableinfo.json
STAT_FILE=metrics/firewall_sd_maat_stat.json
EFFECT_INTERVAL_MS={{ external_resources.sd.policy_effect_interval_ms }}
GARBAGE_COLLECT_MS={{ external_resources.sd.policy_garbage_collection_interval_ms }}
RULE_UPDATE_CHECK_INTERVAL_MS={{ external_resources.sd.policy_update_check_interval_ms }}
REDIS_IP={{ macros.sd_address(external_resources.sd) }}
REDIS_PORT_NUM=1
REDIS_PORT={{ macros.sd_port(external_resources.sd) }}
REDIS_INDEX={{ external_resources.sd.db_index }}
JSON_CFG_FILE=tsgconf/firewall_sd_maat_rule.json
INC_CFG_DIR=tsgrule/inc/index/
FULL_CFG_DIR=tsgrule/full/index/
EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
LOG_PATH="log/firewall.sd.maat"
[MAAT]
ACCEPT_TAGS={"tags":[{{ macros.device_tag_list(device) }}]}

24
containers/firewall/templates/mail.conf.j2 Normal file
View File

@@ -0,0 +1,24 @@
[MODULE]
LOG_PATH=./log/mail
LOG_LEVEL=20
#USER_DEFINE_REGION=X-mailer,Message-ID
#IMAP BODY/BODYSTRUCTURE information
HTABLE_SIZE=65536
HTABLE_EXPIRE_TIME=1800
#whether to decode BASE64/QP, 0:OFF, 1:ON(default)
{%- if decoders.MAIL_BASE64 == True %}
TRANS_DECODE_SWITCH=1
{%- else %}
TRANS_DECODE_SWITCH=0
{%- endif %}
#0: callback biz per packet; 1: callback biz per line(default)
CALLBACK_BIZ_LINE=1
STAT_FIELD_CYCLE=10
STAT_FIELD_TRIG=0
STAT_FIELD_APPNAME=MAIL_PRO
STAT_FIELD_DST_IP=10.10.10.68
STAT_FIELD_DST_PORT=8125

144
containers/firewall/templates/main.conf.j2 Normal file
View File

@@ -0,0 +1,144 @@
{% import '/templates/macros.j2' as macros -%}
[MAAT]
PROFILE="./tsgconf/maat.conf"
{%- if external_resources.sd.enable is defined and external_resources.sd.enable == True %}
DYNAMIC_MAPPING_MAAT_SWITCH=1
{%- else %}
DYNAMIC_MAPPING_MAAT_SWITCH=0
{%- endif %}
DEVICE_TAG_FILE=/opt/tsg/etc/tsg_device_tag.json
ACCEPT_TAGS={"tags":[{{ macros.device_tag_list(device) }}]}
[TSG_LOG]
IPFIX_SCHEMA_PROFILE=./tsgconf/firewall_logger_ipfix_schema.json
LOGGER_SCHEMA_PROFILE=./tsgconf/firewall_logger_transmitter_schema.json
TRAFFIC_VSYSTEM_ID={{ vsys_id }}
{%- if firewall.logs.contains_app_id.enable == True %}
SEND_APP_ID_SWITCH=1
{%- else %}
SEND_APP_ID_SWITCH=0
{%- endif %}
{%- if firewall.logs.contains_dns_resource_record.enable == True %}
SEND_DNS_RR_SWITCH=1
{%- else %}
SEND_DNS_RR_SWITCH=0
{%- endif %}
[SYSTEM]
DATACENTER_ID={{ session_id_generator.snowflake_worker_id_base }}
LOG_LEVEL=30
LOG_PATH="firewall.log"
DEVICE_SEQ_IN_DATA_CENTER={{ session_id_generator.snowflake_worker_id_offset }}
SERVICE_CHAINING_SID={{ sid.sce }}
SHAPING_SID={{ sid.shaping }}
PROXY_SID={{ sid.proxy }}
{%- if decoders.SSL_JA3 == True %}
GENERATE_JA3_FINGERPRINT=1
{%- else %}
GENERATE_JA3_FINGERPRINT=0
{%- endif %}
MAX_SCAN_TCP_PKT_COUNT=8
MAX_SCAN_UDP_PKT_COUNT=8
PERIODIC_SCAN_INTERVAL_MS=120000
OSFP_DB_JSON_PATH=tsgconf/firewall_osfp_db.json
L7_PROTOCOL_FILE=./tsgconf/firewall_l7_protocol.conf
{% if appsketch.context_based_detector == True and appsketch.enable == True %}
APPSKETCH_SWITCH=1
{%- else %}
APPSKETCH_SWITCH=0
{%- endif %}
[FIREWALL]
# hijack, replace
PACKET_RESPONSE_MODE=replace
HTTP_PAGE200=./tsgconf/HTTP200.html
HTTP_PAGE204=./tsgconf/HTTP204.html
HTTP_PAGE403=./tsgconf/HTTP403.html
HTTP_PAGE404=./tsgconf/HTTP404.html
[FIREWALL_LOCAL_STAT]
STAT_NAME="firewall"
STAT_INTERVAL_TIME_S=5
STAT_OUTPATH="metrics/firewall_local_file_stat.json"
[APP_SKETCH_FEEDBACK]
QOS=0
PUBLISH_TOPIC="APP_SIGNATURE_ID"
#CLIENT_ID=
#BROKER_IP=
#BROKER_PORT=
[qdpi_detector]
debug_swtich=30
intput_max_packet=20
qmdpi_engine_config=injection_mode=stream;nb_workers={{ sapp_affinity | length }};nb_flows=8000;basic_dpi_enable=1;classification_cache_enable=0;fm_flow_table_alloc_mode=0
[TRAFFIC_MIRROR]
{%- if traffic_mirror.enable_raw_traffic == True %}
TRAFFIC_MIRROR_ENABLE=1
{%- else %}
TRAFFIC_MIRROR_ENABLE=0
{%- endif %}
NIC_NAME="{{ macros.safe_read(nic_mirror_name,"firewall") }}"
APP_NAME="firewall-mirror-{{ app_symbol_index }}"
DEFAULT_VLAN_ID=0
[PROTO_IDENTIFY]
MAX_IDENTIFY_PACKETS=10
[SESSION_FLAGS]
#RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[ "frequency", "block_frequency", "cumulative_sums", "runs", "longest_run", "rank", "non_overlapping_template_matching", "overlapping_template_matching", "universal", "random_excursions", "random_excursions_variant", "poker_detect", "runs_distribution", "self_correlation", "binary_derivative" ]}
FET_ENABLED=1
RANDOM_LOOKING_UDP_IGNORE_PKTS=-1
RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[]}
TUNNELING_PCRE_LIST={"tunneling_pcre_list":["(B|C)(d){3,5}(a|b|c|d)(A|B)b(A|B|C|D)", "(B|C)(d){3,5}(a|b|c|d)Aa(A|B|C|D)", "(B|C)(d){2}(b|c)(A|B)b(A|B|C|D)", "(B|C)(d){2}(b|c)Aa(A|B|C|D)"]}
[SF_CLASSIFIER]
SYNC_MODE=1
{% if stat_policy_enforcer.enable == True -%}
[STAT_POLICY_ENFORCER]
CYCLE_INTERVAL_S=1
SESSION_UPDATE_MS=250
{%- endif %}
{% if traffic_sketch.enable == True -%}
[TRAFFIC_SKETCH]
APP_AND_TRAFFIC_CYCLE_S=1
APP_AND_TRAFFIC_CYCLE_UPDATE_MS=250
TOPK_CYCLE_S=60
TOPK_UPDATE_MS=1000
DOS_CYCLE_S=60
DOS_UPDATE_MS=1000
SWITCH_TRAFFIC_SKETCH=1
{%- endif %}
{% if policy_sketch.enable == True -%}
[POLICY_SKETCH]
OBJECT_CYCLE_S=1
OBJECT_UPDATE_MS=250
RULE_HITS_CYCLE_S=1
RULE_HITS_UPDATE_MS=250
{%- endif %}
[DOS_PROTECTOR]
{% if dos_protector.enable == True -%}
DOS_PROTECTOR_ENABLE=1
OUTPUT_INTERVAL_MS=60000
METRICS_OUTPUT_INTERVAL_MS=60000
SWARMKV_CLUSTER_NAME="dos_protection_vsys{{ vsys_id }}"
SWARMKV_NODE_IP="0.0.0.0"
SWARMKV_NODE_PORT=8551
SWARMKV_CONSUL_IP="NODE_IP_LOCATION"
SWARMKV_CONSUL_PORT=8500
SWARMKV_CLUSTER_ANNOUNCE_IP="NODE_IP_LOCATION"
SWARMKV_CLUSTER_ANNOUNCE_PORT=CLUSTER_ANNOUNCE_PORT_LOCATION
SWARMKV_HEALTH_CHECK_PORT=8552
SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=HEALTH_CHECK_ANNOUNCE_PORT_LOCATION
{%- else %}
DOS_PROTECTOR_ENABLE=0
{%- endif %}

274
containers/firewall/templates/sapp.toml.j2 Normal file
View File

@@ -0,0 +1,274 @@
###################################################################################################
# NOTE:
# The format of this file is toml (https://github.com/cktan/tomlc99)
# to make vim editor display colorful and human readable,
# you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini
###################################################################################################
[SYSTEM]
instance_name = "firewall-{{ app_symbol_index }}"
[CPU]
### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
worker_threads={{ sapp_affinity | length }}
send_only_threads_max=0
bind_mask=[{{ sapp_affinity | join (',') }}]
[MEM]
dictator_enable=0
[PACKET_IO]
[overlay_tunnel_definition]
### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat,
### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat.
l2_l3_tunnel_support=1
### note, optional value is [none, vxlan, nf]
overlay_mode="nf"
[packet_io.feature]
destroy_all_plug_enabled = 0
### note, used to represent inbound or outbound direction value,
### because it comes from Third party device, so it needs to be specified manually,
### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
inbound_route_dir=1
### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
BSD_packet_filter=""
### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in"
pcap_capture_direction="in"
### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway]
### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode;
### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket.
### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain.
### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain.
inject_pkt_mode="default"
inject_pkt_prepend_segment_id={{ sid.inject_adapter }}
### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port.
#inject_mode_inline_device_sport=54789
### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway.
#inject_mode_single_gateway_device="eth1"
### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device
#inject_mode_single_gateway_src_mac="00:11:22:77:88:99"
#inject_mode_single_gateway_dst_mac="00:11:22:33:44:55"
#dumpfile_sleep_time_before_exit=3
### note, depolyment.mode options: [mirror, inline, transparent]
[packet_io.deployment]
mode="inline"
### note, interface.type options: [pag,pcap,marsio]
[packet_io.internal.interface]
type="marsio"
name="{{ nic_raw_name }}"
[packet_io.external.interface]
type="pcap"
name="lo"
[packet_io.polling]
### note, polling_priority = call sapp_recv_pkt every call polling_entry times,
polling_priority=100
[packet_io.under_ddos]
### note, to reduce impact of ddos attack,set some stream bypass, all plugins will not process these streams
{%- if overload_protection.enable == True %}
stream_bypass_enabled=1
{%- else %}
stream_bypass_enabled=0
{%- endif %}
### note, cpu usage value is percent, for example, config value is 85, means 85%, valid range: [1,100]
### sapp change to bypass state immediately when realtime cpu usage > bypass_trigger_cpu_usage
bypass_trigger_cpu_usage={{ overload_protection.detect_threshold_cpu_usages }}
### note, unit of get_cpu_usage_interval is milliseconds(ms)
get_cpu_usage_interval={{ overload_protection.detect_interval_in_ms }}
### note, use the average of the last $smooth_avg_window times as current realtime value
smooth_avg_window={{ overload_protection.detect_smooth_avg_window }}
decrease_ratio="0.95"
increase_ratio="1.005"
### note, unit of bypass_observe_time is second(s)
recovery_observe_time={{ overload_protection.recovery_detect_cycle_in_sec }}
[PROTOCOL_FEATURE]
ipv6_decapsulation_enabled=1
ipv6_send_packet_enabled=1
tcp_drop_pure_ack_pkt=0
tcp_syn_option_parse_enabled=1
skip_not_ip_layer_over_eth=0
skip_gtp_seq_field_for_inject=1
[DUPLICATE_PKT]
[dup_pkt.traffic.original]
kickout_udp_stream_enabled=0
{%- if session_manager.tcp_duplicated_packet_filter == True %}
original_ipv4_tcp_enabled=1
{%- else %}
original_ipv4_tcp_enabled=0
{%- endif %}
{%- if session_manager.udp_duplicated_packet_filter == True %}
original_ipv4_udp_enabled=1
{%- else %}
original_ipv4_udp_enabled=0
{%- endif %}
### note, can't distinguish between duplicate traffic and application retransmit traffic for IPv6 packets,
### so not support IPv6 original duplicate traffic check.
[dup_pkt.traffic.inject]
{%- if session_manager.inject_duplicated_packet_filter == True %}
inject_all_enabled=1
{%- else %}
inject_all_enabled=0
{%- endif %}
[dup_pkt.parameters]
bloom_capacity=1000000
bloom_error_rate=0.00001
bloom_timeout=10
[STREAM]
### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S"
stream_id_base_time="2021-01-01 00:00:00"
[stream.tcp]
max={{ session_manager.tcp_session_max }}
timeout={{ session_manager.tcp_session_timeout_in_sec }}
syn_mandatory=1
reorder_pkt_max={{ session_manager.tcp_session_unordered_pkt_max }}
analyse_option_enabled=1
tuple4_reuse_time_interval=30
meaningful_statistics_minimum_pkt=3
meaningful_statistics_minimum_byte=5
opening_timeout={{ session_manager.tcp_session_opening_timeout_in_sec }}
closing_timeout={{ session_manager.tcp_session_closing_timeout_in_sec }}
[stream.tcp.inject]
link_mss=1460
[stream.tcp.inject.rst]
auto_remedy=0
number=3
signature_enabled=1
signature_seed1=65535
signature_seed2=13
remedy_kill_tcp_by_inline_device=0
[stream.udp]
max={{ session_manager.udp_session_max }}
timeout={{ session_manager.udp_session_timeout_in_sec }}
meaningful_statistics_minimum_pkt=3
meaningful_statistics_minimum_byte=5
[PROFILING]
[profiling.log]
sapp_log_category="sapp_log"
sapp_plugin_log_category="sapp_plugin_log"
#for profiling-related API control, e.g printaddr
[profiling.metric]
[profiling.metric.fs2]
enabled=0
prometheus_port=9273
prometheus_url_path="/metrics"
local_file="log/fs2_sysinfo.metrics"
refresh_interval_s=1
[profiling.metric.fs3]
enabled=0
prometheus_port=9273
prometheus_url_path="/metrics"
local_file="log/fs3_sysinfo.metrics"
refresh_interval_s=1
[profiling.metric.fs4]
enabled=1
local_file="./metrics/fs4_sysinfo.json"
refresh_interval_s=1
app_name="sapp4"
[profiling.process_latency]
log_category="sapp_process_latency_log"
histogram_enabled=0
local_file="fs2_process_latency.metrics"
refresh_interval_s=1
### note, threshold unit is microseconds (us), legal_scope [1,99999999], max value is 99
threshold_us=1000
### define in time.h,use CLOCK_MONOTONIC_COARSE as default
### 0 means CLOCK_REALTIME, 1 means CLOCK_MONOTONIC, 2 means CLOCK_PROCESS_CPUTIME_ID, 3 means CLOCK_THREAD_CPUTIME_ID
### 4 means CLOCK_MONOTONIC_RAW, 5 means CLOCK_REALTIME_COARSE, 6 means CLOCK_MONOTONIC_COARSE
clock_gettime_id=6
[profiling.sanity_check]
raw_pkt_broken_enabled=0
symbol_conflict_enabled=0
[TOOLS]
[tools.pkt_dump]
enabled=1
### note, mode options value:[storage, udp_socket]
mode="udp_socket"
BSD_packet_filter=""
[tools.pkt_dump.threads]
### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted.
### if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index.
all_threads_enabled=1
### note, dump_thread_id start from 0, max is CPU.worker_threads-1
dump_thread_id=[0,1,2,3,4]
[tools.pkt_dump.udp]
command_port=9345
pkt_dump_ratio=30
[tools.pkt_dump.storage]
### note, file path must be double quotation mark extension, for example, path="/dev/shm/pkt_dump"
path="/dev/shm/pkt_dump"
### note, file size unit: MB
file_size_max_per_thread=10000
[BREAKPAD]
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
breakpad_minidump_dir="/run/sapp/crashreport"
breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload"
### note:
### These configurations format is complex and difficult to describe with toml grammar,
### so, create a independent secondary config file to description specific information.
[SECONDARY_CONFIG_LINK]
cfg_file_sapp_log="etc/sapp_log.conf"
cfg_file_plug_list="plug/conflist.inf"
cfg_file_project_list="etc/project_list.conf"
cfg_file_entrylist="etc/entrylist.conf"
cfg_file_send_raw_pkt="etc/send_raw_pkt.conf"
cfg_file_vxlan_sport_map="etc/vxlan_sport_service_map.conf"
cfg_file_inline_device="etc/gdev.conf"
cfg_file_necessary_plug_list="etc/necessary_plug_list.conf"
cfg_file_stream_compare_layer="etc/stream_compare_layer.conf"
cfg_file_vlan_flipping="etc/vlan_flipping_map.conf"
cfg_file_asymmetric_addr_layer="etc/asymmetric_addr_layer.conf"
cfg_file_well_known_port="etc/well_known_port.conf"
[SECONDARY_DATA_LINK]
data_file_sysinfo_log="log/sysinfo.log"
data_file_field_stat_log="log/fs2_sysinfo.log"
data_file_inline_keepalive_log="log/gdev_keeplive_status.log"
[LIBRARY_LINK]
marsio_library_path="/opt/tsg/mrzcpd/lib/libmarsio.so"

9
containers/firewall/templates/send_raw_pkt.conf.j2 Normal file
View File

@@ -0,0 +1,9 @@
#(0:pag,1:pcap,2:dumpfile,3:pfring,4:DPDK,5:ppf,6:NPacket,7:qnf,8:N95,9:pcap-dumpfile-list,10:topsec,
##(11:ipfile, 12:marsio4, 13:agent_smith, 14:dpdk_vxlan, 15:marsio_vxlan, 16:pag_marsio
#target_id
0 pag p7p2 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ nic_raw_name }} smith dpdk dpdk pag
1 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ nic_raw_name }} smith dpdk dpdk pag
#2 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag
#3 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag
#4 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag

49
containers/firewall/templates/spec.toml.j2 Normal file
View File

@@ -0,0 +1,49 @@
{% if session_flags.enable == True -%}
[[plugin]]
path = "./stellar_plugin/session_flags.so"
init = "session_flags_plugin_init"
exit = "session_flags_plugin_exit"
{%- endif %}
[[plugin]]
path = "./stellar_plugin/glimpse_detector.so"
init = "APP_GLIMPSE_DETECTOR_LOAD"
exit = "APP_GLIMPSE_DETECTOR_UNLOAD"
[[plugin]]
path = "./plug/business/firewall/firewall.so"
init = "firewall_stellar_plugin_load"
exit = "firewall_stellar_plugin_unload"
[[plugin]]
path = "./stellar_plugin/sf_classifier.so"
init = "sf_classifier_init"
exit = "sf_classifier_exit"
{% if appsketch.qdpi_detector == True and appsketch.enable == True -%}
[[plugin]]
path = "./stellar_plugin/qdpi_detector/qdpi_detector.so"
init = "QDPI_DETECTOR_LOAD"
exit = "QDPI_DETECTOR_UNLOAD"
{%- endif %}
{% if stat_policy_enforcer.enable == True -%}
[[plugin]]
path = "./stellar_plugin/stat_policy_enforcer.so"
init = "STATISTICS_INIT"
exit = "STATISTICS_EXIT"
{%- endif %}
{% if traffic_sketch.enable == True -%}
[[plugin]]
path = "./stellar_plugin/traffic_sketch.so"
init = "TRAFFIC_SKETCH_INIT"
exit = "TRAFFIC_SKETCH_EXIT"
{%- endif %}
{% if policy_sketch.enable == True -%}
[[plugin]]
path = "./stellar_plugin/policy_sketch.so"
init = "POLICY_SKETCH_INIT"
exit = "POLICY_SKETCH_EXIT"
{%- endif %}

12
containers/firewall/templates/ssl_main.conf.j2 Normal file
View File

@@ -0,0 +1,12 @@
[SSL]
MAX_CACHE_LEN=10240
{%- if decoders.SSL_CERT == True %}
PARSE_CERTIFICATE_DETAIL=1
{%- else %}
PARSE_CERTIFICATE_DETAIL=0
{%- endif %}
{%- if decoders.SSL_DETAIN_FRAG_CHELLO == True %}
DETAIN_FRAG_CHELLO_NUM=6
{%- else %}
DETAIN_FRAG_CHELLO_NUM=0
{%- endif %}

3
containers/prometheus/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := prometheus
rule_prerequisites :=
rule_recipes := $(call download_image_tar_from_url,prometheus-v25.8.2.tar)

20
containers/proxy-certstore/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,20 @@
{% import 'dockerfile-macros.j2' as macros -%}
ARG BASE_IMAGE
FROM ${BASE_IMAGE}
COPY files/redis-6.2.5-1.el7.remi.x86_64.rpm /tmp/
RUN dnf -y install /tmp/redis-6.2.5-1.el7.remi.x86_64.rpm && \
rm -rf /tmp/redis-6.2.5-1.el7.remi.x86_64.rpm && \
{{ macros.install_packages(packages) }} && \
{{ macros.clean_after_install_packages() }}
# files
COPY files/zlog.conf /opt/tsg/certstore/conf/
COPY files/cert-redis.conf /etc/
# templates
COPY templates/* /templates/
# scripts
COPY --chmod=755 entrypoint.sh /usr/local/bin/
WORKDIR /opt/tsg/certstore
CMD ["/bin/bash"]

3
containers/proxy-certstore/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := proxy-certstore
rule_prerequisites := $(DEP_ENV_FILES) $(YUM_REPO_FILE) $(DOCKERFILE_MACROS) $(BUILD_DIR)/base/$(BUILD_DONE_FILE)
rule_recipes := $(call build_image_from_dockerfile,$(rule_target),$(IMAGE_REGISTRY)/base:$(IMAGE_TAG),$(IMAGE_REGISTRY)/$(rule_target):$(IMAGE_TAG))

24
containers/proxy-certstore/entrypoint.sh Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/sh -ex
source /usr/local/bin/entrypoint_public.sh
# start
ldconfig
parse_args "$@"
mkdir -p /opt/tsg/etc/
render_template cert_store.ini.j2 /opt/tsg/certstore/conf/cert_store.ini
render_template tsg_device_tag.json.j2 /opt/tsg/etc/tsg_device_tag.json
DEVICE_SN=$(read_device_sn_from_k8s_node_info)
echo "{\"sn\": \"$DEVICE_SN\"}" > /opt/tsg/etc/tsg_sn.json
if [ ${IS_ENABLE_PRESTART} == "true" ]; then
enable_prestart
fi
if [ ${IS_ENABLE_INTERACTIVE_STARTUP} == "true" ]; then
enable_interactive_startup
fi
exec /opt/tsg/certstore/bin/certstore

1052
containers/proxy-certstore/files/cert-redis.conf Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
containers/proxy-certstore/files/redis-6.2.5-1.el7.remi.x86_64.rpm Normal file
View File

Binary file not shown.

11
containers/proxy-certstore/files/zlog.conf Normal file
View File

@@ -0,0 +1,11 @@
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
rotate lock file = /tmp/certstore_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
*.fatal "./logs/error.log.%d(%F)", 500M ~ "./logs/error.log.%d(%F).#2s";
*.fatal "./logs/certstore.log.%d(%F)", 500M ~ "./logs/certstore.log.%d(%F).#2s";

4
containers/proxy-certstore/manifest.yaml Normal file
View File

@@ -0,0 +1,4 @@
packages:
- name: certstore
version: 3.0.5.20241018.c8bca25
install_command: dnf

56
containers/proxy-certstore/templates/cert_store.ini.j2 Normal file
View File

@@ -0,0 +1,56 @@
{% import '/templates/macros.j2' as macros -%}
[SYSTEM]
#1:print on screen, 0:don't
DEBUG_SWITCH = 1
RUN_LOG_PATH = "conf/zlog.conf"
[breakpad]
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
breakpad_minidump_dir="/run/certstore/crashreport"
breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload"
[CONFIG]
#Number of running threads
thread-nu = 4
#1 rsync, 0 sync
mode=1
#Local default root certificate is valid for 30 days by default
expire_after = 30
#Local default root certificate path
local_debug = 1
ca_path = ./cert/tsg-ca-v3-trust-ca.pem
untrusted_ca_path = ./cert/tsg-ca-v3-untrust-ca.pem
[MAAT]
#Configure the load mode,
#1: using local json
#2: using Redis reads
maat_json_switch=2
#When the loading mode is sent to the network, set the scanning configuration modification interval (s).
effective_interval=1
#Specify the location of the configuration library table file
table_info=./conf/table_info.conf
#Json file path when json schema is used
pxy_obj_keyring=./conf/pxy_obj_keyring.json
[LIBEVENT]
#Local monitor port number, default is 9991
port = 9991
[CERTSTORE_REDIS]
#The Redis server IP address and port number where the certificate is stored locally
ip = 127.0.0.1
port = 6379
[MAAT_REDIS]
#Maat monitors the Redsi server IP address and port number
ip = {{ macros.cm_address(external_resources.cm) }}
port = {{ macros.cm_port(external_resources.cm) }}
dbindex = {{ vsys_id }}
[stat]
statsd_server=127.0.0.1
statsd_port=8100
statsd_set_prometheus_port=9002
statsd_set_prometheus_url_path=/metrics

19
containers/proxy/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,19 @@
{% import 'dockerfile-macros.j2' as macros -%}
ARG BASE_IMAGE
FROM ${BASE_IMAGE}
RUN {{ macros.install_packages(packages) }} && \
{{ macros.clean_after_install_packages() }}
# files
COPY files/doh.conf /opt/tsg/tfe/conf/doh/
COPY files/future.conf /opt/tsg/tfe/conf/tfe/
COPY files/tsg_diagnose_ca.pem /opt/tsg/tfe/resource/tfe/
COPY files/zlog.conf /opt/tsg/tfe/conf/tfe/
# templates
COPY templates/* /templates/
# scripts
COPY --chmod=755 entrypoint.sh /usr/local/bin/
WORKDIR /opt/tsg/tfe
CMD ["/bin/bash"]

3
containers/proxy/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := proxy
rule_prerequisites := $(DEP_ENV_FILES) $(YUM_REPO_FILE) $(DOCKERFILE_MACROS) $(BUILD_DIR)/base/$(BUILD_DONE_FILE)
rule_recipes := $(call build_image_from_dockerfile,$(rule_target),$(IMAGE_REGISTRY)/base:$(IMAGE_TAG),$(IMAGE_REGISTRY)/$(rule_target):$(IMAGE_TAG))

25
containers/proxy/entrypoint.sh Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/sh -ex
source /usr/local/bin/entrypoint_public.sh
# start
ldconfig
parse_args "$@"
mkdir -p /opt/tsg/etc/
render_template tfe.conf.j2 /opt/tsg/tfe/conf/tfe/tfe.conf
render_template tsg_device_tag.json.j2 /opt/tsg/etc/tsg_device_tag.json
DEVICE_SN=$(read_device_sn_from_k8s_node_info)
echo "{\"sn\": \"$DEVICE_SN\"}" > /opt/tsg/etc/tsg_sn.json
if [ ${IS_ENABLE_PRESTART} == "true" ]; then
enable_prestart
fi
if [ ${IS_ENABLE_INTERACTIVE_STARTUP} == "true" ]; then
enable_interactive_startup
fi
exec /opt/tsg/tfe/bin/tfe

12
containers/proxy/files/doh.conf Normal file
View File

@@ -0,0 +1,12 @@
[doh]
enable=1
[maat]
table_appid=ATTR_APP_ID
table_qname=ATTR_DOH_QNAME
table_host=ATTR_SERVER_FQDN
[kafka]
ENTRANCE_ID=0
# if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1
en_sendlog=1

10
containers/proxy/files/future.conf Normal file
View File

@@ -0,0 +1,10 @@
[STAT]
no_stats=0
statsd_server=127.0.0.1
statsd_port=8100
histogram_bins=0.50,0.80,0.9,0.95
statsd_cycle=5
# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
statsd_format=2
# printf diff Not available
# print_diff=1

36
containers/proxy/files/tsg_diagnose_ca.pem Normal file
View File

@@ -0,0 +1,36 @@
-----BEGIN CERTIFICATE-----
MIIGWzCCBEOgAwIBAgIJAIEUARRZuqOXMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMRgwFgYD
VQQKDA9EaWFnbm9zZSBCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eTAeFw0yMTEyMDIwMzU0NDRaFw0zMTExMzAwMzU0NDRa
MHcxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlq
aW5nMRgwFgYDVQQKDA9EaWFnbm9zZSBCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBS
b290IENlcnRpZmljYXRlIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAOLd76Ea5epn0NNu5yF6gY1YrzqgFY8PoVP/qaaa+otHooKPqC3t
dwA/jhADP3d6UgS/94rsViGsdawx2jlHLv7TcuJeXMcsZjQAkBVfL5wkEhw5Csr4
/UmEeLiJiPyj+Dad+Ne7G4qfTv8802HSSBrv6kGcJSsHAzQ1AnzwBaITNmuR3IBE
0vmxulvXyfpsT413z+Ik2N6xp8rI6cINyqNMA356vgM/x79OunE52kTM5ocx7Wd6
vxUKRpYVPitbhvKvWF45YGkQ0LxnII6PwgnBeA+a0rvdq4XEfEPwyDmQ+H1cdozz
qhPJbTQgX1QL4dgM+erBYKpTjksX65kj89c7DNLdgbS26zDNcyD7oIXmYpwggJOt
J/2zSmN5L79Y8VT0VWlvSv3uTtViTZBPeIsWnT1Ea/sJP6IpjcePLR2MW0GGlcz9
X97ojp+Ws0I5VFdv77kLeel/2iO3rHPe6xMgJ/7zSre7t0vdwaDzQlsC9FUeDHJS
1SBT4sGfUZs82O8IvvxBSp15eTDlhHcYK/pMgvsC8PDrsiFcehMEh2olXlU/Qi/U
E9lL5Hv6/VmtMS0J0Y7buGfo4iSohVPIYB4Akq/jq3vOsWNIEV686eD8U0JCLxjb
bHkV4WrXJvvElxnB1OnhgF7jfxJgecMUi2bl4VZGWNucRwRmFXGsYsw/AgMBAAGj
gekwgeYwHQYDVR0OBBYEFBPYAnh6x+6Ls7Pv7XLsTJaXOrdaMIGpBgNVHSMEgaEw
gZ6AFBPYAnh6x+6Ls7Pv7XLsTJaXOrdaoXukeTB3MQswCQYDVQQGEwJDTjEQMA4G
A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEYMBYGA1UECgwPRGlhZ25v
c2UgQmFkU1NMMSowKAYDVQQDDCFCYWRTU0wgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRo
b3JpdHmCCQCBFAEUWbqjlzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAgEAtdA6Y3GATG9mOwOj3vyBjWCbTeVgRXomhquAOVIdh6Xl
+GUXlX2K/bcRW1GGi51s/RzNGOqTym7XHzzROJ2XhxnQcWHIqUpCb6IAGwsBxRVe
ruC8lUDcjitHm2BrdJsDnIpWA+iJ/ihuYuTaDwfIipao/NqftneWp+A6XjQ4pYsY
MoTRsk1HxvYGSLE4wKQhTH9JESCx7I8ltYAnF3bQLKfqcwuPvWNR3Vth5rl2bxfk
c7mmgpGjjQCsFZDcBnPxKqc12VPbmJEtsgP945SrwYCZkg1kd+py2kgcvccE5Y3g
sAhWCMNKMwc1Wg3tPNAQvzXZZKtRUOFd/5mcjkq0QWZcDdA1r74DhB2e22KitUok
YCdM0o+45EVMZVMe0QWUIgByz1PObM7IP1oEFEJ0afRc0Ra6scYXUBS7Nnk2UNxX
bsQrD0GdrX4pb7Zg1RJEgUU51UGflQpzyJuvQIjXT3pAk9IDKQUXi6lNiM85OGKn
HJYX48KuYlG7I0zIa7Tfz6rkcCxGsXe8jx5+4zVkul9gVxmmDAQv1jYOPvoXIFQc
TtfSekSxzop+DsMySQHQqjFOHtAYBoWjCLX9FNURJ/yPcsYpMrcrTDVzucPK8utK
jcCDir6QMO0z4heHZyV5alant/MYEquBe0ooCCAhh138HndvwVHjekh/le/lf28=
-----END CERTIFICATE-----

24
containers/proxy/files/zlog.conf Normal file
View File

@@ -0,0 +1,24 @@
# kill -s SIGHUP "pid"
[global]
default format = "%d(%c), %t, %V, %F, %U, %m%n"
rotate lock file = /tmp/tfe_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
#DISABLE=40
[rules]
*.fatal "./log/error.log.%d(%F)", 500M ~ "./log/error.log.%d(%F).#2s";
tfe.fatal "./log/tfe.log.%d(%F)", 500M ~ "./log/tfe.log.%d(%F).#2s";
http.fatal "./log/http.log.%d(%F)", 500M ~ "./log/http.log.%d(%F).#2s";
http2.fatal "./log/http2.log.%d(%F)", 500M ~ "./log/http2.log.%d(%F).#2s";
doh.fatal "./log/doh_pxy.log.%d(%F)", 500M ~ "./log/doh_pxy.log.%d(%F).#2s";
tsg_http.fatal "./log/tsg_http_pxy.log.%d(%F)", 500M ~ "./log/tsg_http_pxy.log.%d(%F).#2s";
packet_io.fatal "./log/packet_io.log.%d(%F)", 500M ~ "./log/packet_io.log.%d(%F).#2s";

6
containers/proxy/manifest.yaml Normal file
View File

@@ -0,0 +1,6 @@
packages:
- name: tfe
version: 4.10.4.5c05bf4
download_command: dnf
install_command: rpm
install_command_options: "--prefix /opt/tsg/tfe"

279
containers/proxy/templates/tfe.conf.j2 Normal file
View File

@@ -0,0 +1,279 @@
{% import '/templates/macros.j2' as macros -%}
[system]
nr_worker_threads={{ 1 if tfe_affinity | length == 1 else (tfe_affinity | length - 1) }}
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
# must be /run/tfe/crashreport due to tmpfile limit
breakpad_minidump_dir=/run/tfe/crashreport
breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload
# ask for at least (1 + nr_worker_threads) masks
# the first mask for acceptor thread
# the others mask for worker thread
enable_cpu_affinity=1
cpu_affinity_mask={{ (tfe_affinity[0] ~ ',' ~ tfe_affinity[0]) if tfe_affinity | length == 1 else tfe_affinity | join(',') }}
# LEAST_CONN = 0; ROUND_ROBIN = 1
load_balance=1
[public]
vsys_id={{ vsys_id }}
data_center={{ macros.read_device_tag_value(device, "data_center") }}
device_group={{ macros.read_device_tag_value(device, "device_group") }}
device_id=DEVICE_ID_PLACE_HOLDER_MARK
# for enable kni v3
[nfq]
queue_id=1
queue_maxlen=655350
queue_rcvbufsiz=983025000
queue_no_enobufs=1
[kni]
# kni v1
#uxdomain=/var/run/.tfe_kni_acceptor_handler
# kni v2
#scm_socket_file=/var/run/.tfe_kmod_scm_socket
# send cmsg
send_switch=0
ip=127.0.0.1
cmsg_port=2475
# watch dog
watchdog_switch=0
watchdog_port=2476
[watchdog_tfe]
# The worker thread updates the timestamp every two seconds
# The watchdog thread checks the timestamp every second
enable=1
timeout_seconds=5
statistics_window=20
timeout_cnt_as_fail=3
timeout_debug=0
[ssl]
ssl_debug=0
# ssl version Not available, configured via TSG website
# ssl_max_version=tls13
# ssl_min_version=ssl3
ssl_compression=1
no_ssl2=1
no_ssl3=0
no_tls10=0
no_tls11=0
no_tls12=0
default_ciphers=ALL:-aNULL
no_cert_verify=0
# session ticket
no_session_ticket=0
stek_group_num=4096
stek_rotation_time=3600
# session cache
no_session_cache=0
session_cache_slots=4194304
session_cache_expire_seconds=1800
# service cache
service_cache_slots=4194304
service_cache_expire_seconds=300
service_cache_fail_as_pinning_cnt=4
service_cache_fail_as_proto_err_cnt=5
service_cache_fail_time_window=30
service_cache_succ_as_app_not_pinning_cnt=0
# cert
check_cert_crl=0
trusted_cert_load_local=1
trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
trusted_cert_dir=resource/tfe/trusted_storage
# master key
log_master_key=0
key_log_file=log/sslkeylog.log
[key_keeper]
#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
#0 on cache 1 off cache
no_cache=0
mode=normal
cert_store_host=127.0.0.1
cert_store_port=9991
ca_path=resource/tfe/tango-ca-v3-trust-ca.pem
untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem
hash_slot_size=131072
hash_expire_seconds=300
cert_expire_time=24
# health_check only for "mode=normal" default 1
enable_health_check=1
[tsg_http]
enable_plugin=1
en_sendlog=1
[debug]
# 1 : enforce tcp passthrough
# 0 : Whether to passthrough depends on the tcp_options in cmsg
passthrough_all_tcp=0
[ratelimit]
read_rate=0
read_burst=0
write_rate=0
write_burst=0
[tcp]
# read rcv_buff/snd_buff options from tfe conf
sz_rcv_buffer=-1
sz_snd_buffer=-1
# 1 : use tcp_options in tfe.conf
# 0 : use tcp_options in cmsg
enable_overwrite=0
tcp_nodelay=1
so_keepalive=1
tcp_keepcnt=8
tcp_keepintvl=15
tcp_keepidle=30
tcp_user_timeout=600
tcp_ttl_upstream=75
tcp_ttl_downstream=70
[stat]
statsd_server=127.0.0.1
statsd_port=8900
statsd_cycle=5
# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
statsd_format=2
histogram_bins=0.5,0.8,0.9,0.95
statsd_set_prometheus_port=9001
statsd_set_prometheus_url_path=/metrics
[traffic_mirror]
{% if traffic_mirror.enable_decrypted_traffic == True -%}
enable=1
{%- else -%}
enable=0
{%- endif %}
device={{ macros.safe_read(nic_mirror_name,"proxy") }}
app_symbol=proxy-mirror-{{ app_symbol_index }}
# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
type=1
table_info=resource/pangu/table_info_traffic_mirror.conf
stat_file=log/traffic_mirror.status
default_vlan_id=0
[kafka]
brokerlist={{ macros.address_port_pairs_render(external_resources.olap.kafka_brokers.addresses,",") }}
sasl_username={{ macros.safe_read(external_resources,"olap.kafka_brokers.sasl_username") }}
sasl_passwd={{ macros.safe_read(external_resources,"olap.kafka_brokers.sasl_password") }}
rule_hits_topic=POLICY-RULE-METRIC
proxy_event_topic=PROXY-EVENT
file_stream_topic=TRAFFIC-HTTP-FILE-STREAM-RECORD
exch_cert_topic=PXY-EXCH-INTERMEDIA-CERT
[maat]
# 0:json 1:redis
maat_input_mode=1
stat_switch=1
perf_switch=1
table_info=resource/pangu/table_info.conf
accept_path=/opt/tsg/etc/tsg_device_tag.json
stat_file=log/pangu_scan.fs2
effect_interval_s=1
deferred_load_on=0
# json mode conf iterm
json_cfg_file=resource/pangu/pangu_http.json
# redis mode conf iterm
maat_redis_server={{ macros.cm_address(external_resources.cm) }}
maat_redis_port_range={{ macros.cm_port(external_resources.cm) }}
maat_redis_db_index={{ vsys_id }}
[proxy_hits]
app_name="proxy_rule_hits"
output_fs_interval_ms=500
output_kafka_interval_ms=1000
# for enable kni v4
[packet_io]
dup_packet_filter_enable=1
dup_packet_filter_capacity=1000000
dup_packet_filter_timeout=10
# MESA_load_profile not support double
#dup_packet_filter_error_rate=0.00001
packet_io_debug=0
packet_io_threads={{ pktio_affinity | length }}
packet_io_cpu_affinity_mask={{ pktio_affinity | join(',') }}
firewall_sids={{ sid.firewall }}
proxy_sids={{ sid.proxy }}
service_chaining_sids={{ sid.sce }}
# bypass_all_traffic:1 NF2NF and SF2SF
bypass_all_traffic=0
rx_burst_max=128
app_symbol=proxy-{{ app_symbol_index }}
dev_nf_interface={{ proxy_config.proxy_nic }}
src_mac_addr = 00:0e:c6:d6:72:c1
# tap config
tap_name=tap0
# 1.tap_allow_mutilthread=1 load bpf rss obj
# 2.tap_allow_mutilthread=0 not load bpf rss obj
tap_allow_mutilthread=1
bpf_obj=/opt/tsg/tfe/resource/bpf/bpf_tun_rss_steering.o
# tap_bpf_debug_log: cat /sys/kernel/debug/tracing/trace_pipe
bpf_debug_log=0
# 2: BPF 使用二元组分流
# 4: BPF 使用四元组分流
bpf_hash_mode={{ distmode }}
# 配置 tap 网卡的 RPS
tap_rps_enable=1
tap_rps_mask={{ tfe_rps_mask }}
# iouring config
enable_iouring=1
enable_debuglog=0
ring_size=1024
buff_size=2048
# io_uring_setup() flags
# IORING_SETUP_IOPOLL (1U << 0) /* io_context is polled */
# IORING_SETUP_SQPOLL (1U << 1) /* SQ poll thread */
# IORING_SETUP_SQ_AFF (1U << 2) /* sq_thread_cpu is valid */
# IORING_SETUP_CQSIZE (1U << 3) /* app defines CQ size */
# IORING_SETUP_CLAMP (1U << 4) /* clamp SQ/CQ ring sizes */
# IORING_SETUP_ATTACH_WQ (1U << 5) /* attach to existing wq */
# IORING_SETUP_R_DISABLED (1U << 6) /* start with ring disabled */
# IORING_SETUP_SUBMIT_ALL (1U << 7) /* continue submit on error */
flags=0
sq_thread_idle=0
[traffic_steering]
enable_steering_http=0
enable_steering_ssl=0
# 17: 0x11
so_mask_client=17
# 34: 0x22
so_mask_server=34
device_client=tap_c
device_server=tap_s
http_keepalive_enable=0
http_keepalive_path="/metrics"
http_keepalive_addr=192.168.41.60
http_keepalive_port=9273

15
containers/sce-bfdd/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,15 @@
{% import 'dockerfile-macros.j2' as macros -%}
ARG BASE_IMAGE
FROM ${BASE_IMAGE}
COPY files/libyang2-2.0.7-1.el8.x86_64.rpm /tmp/
RUN rpm -i /tmp/libyang2-2.0.7-1.el8.x86_64.rpm && \
rm -rf /tmp/libyang2-2.0.7-1.el8.x86_64.rpm && \
{{ macros.install_packages(packages) }} && \
{{ macros.clean_after_install_packages() }}
COPY --chmod=755 entrypoint.sh /usr/local/bin/
WORKDIR /opt/tsg/bfdd
CMD ["/bin/bash"]

3
containers/sce-bfdd/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := sce-bfdd
rule_prerequisites := $(DEP_ENV_FILES) $(YUM_REPO_FILE) $(DOCKERFILE_MACROS) $(BUILD_DIR)/base/$(BUILD_DONE_FILE)
rule_recipes := $(call build_image_from_dockerfile,$(rule_target),$(IMAGE_REGISTRY)/base:$(IMAGE_TAG),$(IMAGE_REGISTRY)/$(rule_target):$(IMAGE_TAG))

22
containers/sce-bfdd/entrypoint.sh Normal file
View File

@@ -0,0 +1,22 @@
#!/bin/sh -ex
source /usr/local/bin/entrypoint_public.sh
# start
ldconfig
parse_args "$@"
mkdir -p /opt/tsg/etc/
DEVICE_SN=$(read_device_sn_from_k8s_node_info)
echo "{\"sn\": \"$DEVICE_SN\"}" > /opt/tsg/etc/tsg_sn.json
if [ ${IS_ENABLE_PRESTART} == "true" ]; then
enable_prestart
fi
if [ ${IS_ENABLE_INTERACTIVE_STARTUP} == "true" ]; then
enable_interactive_startup
fi
exec /opt/tsg/bfdd/bin/bfdd -u root -g root

BIN
containers/sce-bfdd/files/libyang2-2.0.7-1.el8.x86_64.rpm Normal file
View File

Binary file not shown.

4
containers/sce-bfdd/manifest.yaml Normal file
View File

@@ -0,0 +1,4 @@
packages:
- name: bfdd
version: 1.0.3-release
install_command: dnf

15
containers/sce/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,15 @@
{% import 'dockerfile-macros.j2' as macros -%}
ARG BASE_IMAGE
FROM ${BASE_IMAGE}
RUN {{ macros.install_packages(packages) }} && \
{{ macros.clean_after_install_packages() }}
# files
COPY files/zlog.conf /opt/tsg/sce/conf/
# templates
COPY templates/* /templates/
# scripts
COPY --chmod=755 entrypoint.sh /usr/local/bin/
WORKDIR /opt/tsg/sce
CMD ["/bin/bash"]

3
containers/sce/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := sce
rule_prerequisites := $(DEP_ENV_FILES) $(YUM_REPO_FILE) $(DOCKERFILE_MACROS) $(BUILD_DIR)/base/$(BUILD_DONE_FILE)
rule_recipes := $(call build_image_from_dockerfile,$(rule_target),$(IMAGE_REGISTRY)/base:$(IMAGE_TAG),$(IMAGE_REGISTRY)/$(rule_target):$(IMAGE_TAG))

26
containers/sce/entrypoint.sh Normal file
View File

@@ -0,0 +1,26 @@
#!/bin/sh -ex
source /usr/local/bin/entrypoint_public.sh
# start
ldconfig
parse_args "$@"
mkdir -p /opt/tsg/etc/
render_template sce.conf.j2 /opt/tsg/sce/conf/sce.conf
render_template tsg_device_tag.json.j2 /opt/tsg/etc/tsg_device_tag.json
DEVICE_SN=$(read_device_sn_from_k8s_node_info)
echo "{\"sn\": \"$DEVICE_SN\"}" > /opt/tsg/etc/tsg_sn.json
if [ ${IS_ENABLE_PRESTART} == "true" ]; then
enable_prestart
fi
if [ ${IS_ENABLE_INTERACTIVE_STARTUP} == "true" ]; then
enable_interactive_startup
fi
exec /opt/tsg/sce/bin/sce

12
containers/sce/files/zlog.conf Normal file
View File

@@ -0,0 +1,12 @@
# kill -s SIGHUP "pid"
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
sce.fatal "./log/sce.log.%d(%F)", 500M ~ "./log/sce.log.%d(%F).#2s";

4
containers/sce/manifest.yaml Normal file
View File

@@ -0,0 +1,4 @@
packages:
- name: sce
version: 1.3.6.431ac5f
install_command: dnf

94
containers/sce/templates/sce.conf.j2 Normal file
View File

@@ -0,0 +1,94 @@
{% import '/templates/macros.j2' as macros -%}
[system]
nr_worker_threads={{ sce_affinity | length }}
cpu_affinity_mask={{ sce_affinity | join(',') }}
firewall_sids={{ sid.firewall }}
stateless_sids=900
enable_debug=0
enable_send_log=1
ts_update_interval_ms=1
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
# must be /run/sce/crashreport, due to tmpfile limit
breakpad_minidump_dir=/run/sce/crashreport
breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload
[maat]
# 0:json 1:redis
input_mode=1
# LOG_LEVEL_TRACE = 0; LOG_LEVEL_DEBUG = 1; LOG_LEVEL_INFO = 2;
# LOG_LEVEL_WARN = 3; LOG_LEVEL_ERROR = 4; LOG_LEVEL_FATAL = 5;
log_level=5
stat_switch=1
perf_switch=1
scan_detail=0
deferred_load=0
effect_interval_ms=1000
stat_file=log/maat.fs2
table_info=resource/table_info.conf
accept_path=/opt/tsg/etc/tsg_device_tag.json
json_cfg_file=resource/sce.json
foreign_cont_dir=resource/foreign_files
redis_db_idx={{ vsys_id }}
redis_server={{ macros.cm_address(external_resources.cm) }}
redis_port_range={{ macros.cm_port(external_resources.cm) }}
max_chaining_size=32
[packet_io]
# bypass_traffic:0 disable
# bypass_traffic:1 bypass all traffic
# bypass_traffic:2 bypass raw traffic
# bypass_traffic:3 bypass decrypted traffic
bypass_traffic=0
rx_burst_max=128
min_timeout_ms=900
app_symbol=sce-{{ app_symbol_index }}
dev_nf_name={{ sce_config.steering_nic }}
# dev_endpoint_l2 for vlan
dev_endpoint_l2_name={{ sce_config.vlan_config.endpoint_nic }}
vlan_encapsulate_replace_orig_vlan_header=0
# dev_endpoint_l3 for vxlan
dev_endpoint_l3_name={{ sce_config.vxlan_config.endpoint_nic }}
dev_endpoint_l3_ip={{ sce_config.vxlan_config.endpoint_ip }}
# dev_endpoint_l3_mac=aa:aa:aa:aa:aa:aa
[stat]
output_file=log/sce.fs2
statsd_server=127.0.0.1
statsd_port=8100
# 1 : FS_OUTPUT_STATSD
# 2 : FS_OUTPUT_INFLUX_LINE
statsd_format=2
statsd_cycle=2
prometheus_listen_port=9006
prometheus_listen_url=/metrics
[metrics]
output_fs_interval_ms=500
output_kafka_interval_ms=1000
data_center={{ macros.read_device_tag_value(device, "data_center") }}
device_group={{ macros.read_device_tag_value(device, "device_group") }}
device_id=DEVICE_ID_PLACE_HOLDER_MARK
[bfdd]
enable=1
# use default_gw_mac when enable = 0
default_gw_mac=aa:aa:aa:aa:aa:aa
path=/run/frr/bfdd.vty
device={{ sce_config.vxlan_config.endpoint_nic }}
local_address={{ sce_config.vxlan_config.endpoint_ip }}
gateway={{ macros.safe_read(sce_config,"vxlan_config.endpoint_gateway") }}
icmp_cycle_time_s=10
[kafka]
enable_debug=0
brokerlist={{ macros.address_port_pairs_render(external_resources.olap.kafka_brokers.addresses,",") }}
sasl_username={{ macros.safe_read(external_resources,"olap.kafka_brokers.sasl_username") }}
sasl_passwd={{ macros.safe_read(external_resources,"olap.kafka_brokers.sasl_password") }}
topic_name=POLICY-RULE-METRIC

16
containers/shaping/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,16 @@
{% import 'dockerfile-macros.j2' as macros -%}
ARG BASE_IMAGE
FROM ${BASE_IMAGE}
RUN {{ macros.install_packages(packages) }} && \
{{ macros.clean_after_install_packages() }}
# files
COPY files/zlog.conf /opt/tsg/shaping_engine/conf/
# templates
COPY templates/* /templates/
# scripts
COPY --chmod=755 entrypoint.sh /usr/local/bin/
WORKDIR /opt/tsg/shaping_engine
CMD ["/bin/bash"]

3
containers/shaping/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := shaping
rule_prerequisites := $(DEP_ENV_FILES) $(YUM_REPO_FILE) $(DOCKERFILE_MACROS) $(BUILD_DIR)/base/$(BUILD_DONE_FILE)
rule_recipes := $(call build_image_from_dockerfile,$(rule_target),$(IMAGE_REGISTRY)/base:$(IMAGE_TAG),$(IMAGE_REGISTRY)/$(rule_target):$(IMAGE_TAG))

38
containers/shaping/entrypoint.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/sh -ex
source /usr/local/bin/entrypoint_public.sh
set_configs_in_runtime()
{
local podname=${HOSTNAME}
local CLUSTER_ANNOUNCE_PORT=$(read_nodeport_from_service ${podname}-8551 default)
local HEALTH_CHECK_ANNOUNCE_PORT=$(read_nodeport_from_service ${podname}-8552 default)
sed -Ei -c "s|NODE_IP_LOCATION|${NODE_IP?}|g" /opt/tsg/shaping_engine/conf/shaping.conf
sed -Ei -c "s|CLUSTER_ANNOUNCE_PORT_LOCATION|${CLUSTER_ANNOUNCE_PORT?}|g" /opt/tsg/shaping_engine/conf/shaping.conf
sed -Ei -c "s|HEALTH_CHECK_ANNOUNCE_PORT_LOCATION|${HEALTH_CHECK_ANNOUNCE_PORT?}|g" /opt/tsg/shaping_engine/conf/shaping.conf
}
# start
ldconfig
parse_args "$@"
mkdir -p /opt/tsg/etc/
render_template shaping.conf.j2 /opt/tsg/shaping_engine/conf/shaping.conf
render_template tsg_device_tag.json.j2 /opt/tsg/etc/tsg_device_tag.json
DEVICE_SN=$(read_device_sn_from_k8s_node_info)
echo "{\"sn\": \"$DEVICE_SN\"}" > /opt/tsg/etc/tsg_sn.json
set_configs_in_runtime
if [ ${IS_ENABLE_PRESTART} == "true" ]; then
enable_prestart
fi
if [ ${IS_ENABLE_INTERACTIVE_STARTUP} == "true" ]; then
enable_interactive_startup
fi
exec /opt/tsg/shaping_engine/bin/shaping_engine

13
containers/shaping/files/zlog.conf Normal file
View File

@@ -0,0 +1,13 @@
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
log_shaping.fatal "./log/shaping.log.%d(%F)", 500M ~ "./log/shaping.log.%d(%F).#2s";
#log_shaping.fatal >stdout;
#log_shaping.info "./log/info_shaping.log.%d(%F)";
#log_shaping.debug "./log/debug_shaping.log.%d(%F)";

4
containers/shaping/manifest.yaml Normal file
View File

@@ -0,0 +1,4 @@
packages:
- name: shaping_engine
version: 3.2.0.ef65ec1
install_command: dnf

49
containers/shaping/templates/shaping.conf.j2 Normal file
View File

@@ -0,0 +1,49 @@
{% import '/templates/macros.j2' as macros -%}
[SYSTEM]
WORK_THREAD_NUM={{ shaping_affinity | length }}
ENABLE_CPU_AFFINITY=1
CPU_AFFINITY_MASK={{ shaping_affinity | join(',') }}
firewall_sids={{ sid.firewall }}
[MARSIO]
DEV_INTERFACE="{{ shaping_config.shaping_nic }}"
RX_BRUST_MAX=64
APP_SYMBOL="shaping-{{ app_symbol_index }}"
[MAAT]
INPUT_MODE=1
TABLE_INFO="conf/table_info.json"
JSON_FILE="conf/shaping_maat.json"
REDIS_DB_IDX={{ vsys_id }}
REDIS_IP="{{ macros.cm_address(external_resources.cm) }}"
REDIS_PORT="{{ macros.cm_port(external_resources.cm) }}"
[SWARMKV]
SWARMKV_CLUSTER_NAME="tsg-shaping-vsys{{ vsys_id }}"
SWARMKV_NODE_IP="0.0.0.0"
SWARMKV_NODE_PORT=8551
SWARMKV_CONSUL_IP="NODE_IP_LOCATION"
SWARMKV_CONSUL_PORT=8500
SWARMKV_CLUSTER_ANNOUNCE_IP="NODE_IP_LOCATION"
SWARMKV_CLUSTER_ANNOUNCE_PORT=CLUSTER_ANNOUNCE_PORT_LOCATION
SWARMKV_HEALTH_CHECK_PORT=8552
SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=HEALTH_CHECK_ANNOUNCE_PORT_LOCATION
[METRIC]
DATA_CENTER={{ macros.read_device_tag_value(device, "data_center") }}
DEVICE_GROUP={{ macros.read_device_tag_value(device, "device_group") }}
DEVICE_ID="DEVICE_ID_PLACE_HOLDER_MARK"
KAFKA_TOPIC="POLICY-RULE-METRIC"
KAFKA_BROKERS="{{ macros.address_port_pairs_render(external_resources.olap.kafka_brokers.addresses,",") }}"
KAFKA_USERNAME="{{ macros.safe_read(external_resources,"olap.kafka_brokers.sasl_username") }}"
KAFKA_PASSWORD="{{ macros.safe_read(external_resources,"olap.kafka_brokers.sasl_password") }}"
[CONFIG]
#PROFILE_QUEUE_LEN_PER_PRIORITY_MAX=128
SESSION_QUEUE_LEN_MAX=32
QUEUEING_SESSIONS_PER_PRIORITY_PER_THREAD_MAX=1024
POLLING_NODE_NUM_MAX={"polling_node_num_max":[ 3, 2, 2, 2, 2, 2, 2, 2, 2, 2 ]}

7
containers/traffic-engine/build.mk Normal file
View File

@@ -0,0 +1,7 @@
requisites_images_name := firewall proxy proxy-certstore sce sce-bfdd shaping
rule_target := traffic-engine
rule_prerequisites := $(foreach name,$(requisites_images_name),$(BUILD_DIR)/$(name)/$(BUILD_DONE_FILE))
rule_recipes := rm -rf $(IMAGE_TAR_DIR)/$(rule_target)-$(IMAGE_TAG)-$(IMAGE_ARCH)-docker.tar;\
podman save \
-o $(IMAGE_TAR_DIR)/$(rule_target)-$(IMAGE_TAG)-$(IMAGE_ARCH)-docker.tar \
-m $(foreach name,$(requisites_images_name),$(IMAGE_REGISTRY)/$(name):$(IMAGE_TAG))

22
containers/tsg-cm/build.mk Normal file
View File

@@ -0,0 +1,22 @@
tsg_cm_image_registry := ci1.bj.geedge.net
tsg_cm_images := $(tsg_cm_image_registry)/tsg/cm/tsg-cm:api_v24.09_2024090501 \
$(tsg_cm_image_registry)/common/mariadb:10.11.8 \
$(tsg_cm_image_registry)/tsg/cm/cm-verify:tsg_v24.09_20240906
rule_target := tsg-cm
rule_prerequisites :=
define rule_recipes
[ -z "${TSG_CM_IMAGE_REGISTRY_AUTH_USERNAME}" ] && echo "username not set." && exit 1 || true
[ -z "${TSG_CM_IMAGE_REGISTRY_AUTH_PASSWORD}" ] && echo "password not set." && exit 1 || true
buildah login \
-u ${TSG_CM_IMAGE_REGISTRY_AUTH_USERNAME} \
-p ${TSG_CM_IMAGE_REGISTRY_AUTH_PASSWORD} $(tsg_cm_image_registry); \
for image in $(tsg_cm_images); do \
buildah pull $$$$image || exit 1; \
done
mkdir -p $(IMAGE_TAR_DIR); \
podman save -o $(IMAGE_TAR_DIR)/$(rule_target)-docker.tar -m $(tsg_cm_images)
endef

44
helmcharts/Makefile Normal file
View File

@@ -0,0 +1,44 @@
export VERSION
export APP_VERSION
HELMCHART_NAMES := $(shell find . -maxdepth 1 -type d ! -name "build" ! -name "." | sed 's|^\./||')
BUILD_DIR := build
HELMCHART_TAR_DIR := $(BUILD_DIR)/helmcharts
MANIFEST_DIR := $(BUILD_DIR)/manifests
BUILD_DONE_FILE := build.done
define build_rule
$(1): $(BUILD_DIR)/$(1)/$(BUILD_DONE_FILE)
$(BUILD_DIR)/$(1)/$(BUILD_DONE_FILE): $(shell find $(1) -type f) $(2)
@mkdir -p $(BUILD_DIR)/$(1)
$(3)
@echo done > $(BUILD_DIR)/$(1)/$(BUILD_DONE_FILE)
endef
define build_helmchart_package
@mkdir -p $(HELMCHART_TAR_DIR)
/usr/local/bin/helm package --app-version $(3) --version $(2) -d $(HELMCHART_TAR_DIR) $(1)/helm
endef
define copy_helmchart_package
@mkdir -p $(HELMCHART_TAR_DIR)
cp $(1)/files/*.tgz $(HELMCHART_TAR_DIR)
endef
define copy_manifest
@mkdir -p $(MANIFEST_DIR)
cp $(1)/files/*.yaml $(MANIFEST_DIR)
endef
.PHONY: all clean $(HELMCHART_NAMES)
all: $(HELMCHART_NAMES)
$(foreach name,$(HELMCHART_NAMES),\
$(eval include $(name)/build.mk);\
$(eval $(call build_rule,$(rule_target),$(rule_prerequisites),$(rule_recipes)))))
clean:
rm -rf $(BUILD_DIR)

7
helmcharts/prometheus/build.mk Normal file
View File

@@ -0,0 +1,7 @@
rule_target := prometheus
rule_prerequisites :=
define rule_recipes
$(call copy_helmchart_package,$(rule_target))
$(call copy_manifest,$(rule_target))
endef

BIN
helmcharts/prometheus/files/prometheus-25.8.2.tgz Normal file
View File

Binary file not shown.

203
helmcharts/prometheus/files/prometheus-crd.yaml Normal file
View File

@@ -0,0 +1,203 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: prometheus
namespace: kube-system
spec:
chart: https://%{KUBERNETES_API}%/static/charts/prometheus-25.8.2.tgz
targetNamespace: tsg-os-system
valuesContent: |-
kube-state-metrics:
image:
pullPolicy: Never
server:
image:
pullPolicy: Never
service:
servicePort: 8080
nodePort: 30080
type: NodePort
global:
scrape_interval: 15s
configmapReload:
prometheus:
image:
pullPolicy: Never
alertmanager:
image:
pullPolicy: Never
alertmanager:
image:
pullPolicy: Never
prometheus-pushgateway:
nameOverride: pushgateway
image:
pullPolicy: Never
prometheus-node-exporter:
nameOverride: node-exporter
image:
pullPolicy: Never
service:
annotations:
prometheus.io/scrape: "true"
tsg/monitor: "true"
extraArgs:
- --collector.ethtool
- --collector.ethtool.device-include=.*
- --collector.ethtool.metrics-include=.*
- --collector.cpu.info
- --collector.netdev
- --collector.netdev.address-info
serverFiles:
prometheus.yml:
scrape_configs:
- job_name: 'cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
metric_relabel_configs:
- source_labels: [pod]
action: replace
target_label: serviceFunction
regex: (.*)-(firewall|proxy|shaping|sce)-([a-z0-9]+)-([a-z0-9]+)
replacement: $1
- regex: instance
action: labeldrop
- regex: id
action: labeldrop
- regex: image
action: labeldrop
- regex: name
action: labeldrop
- regex: namespace
action: labeldrop
- regex: pod
action: labeldrop
- source_labels: [__name__, device]
separator: ';'
regex: '^container_fs\w+;(.+k3s/containerd.+|.+kubelet/pods.+)'
action: drop
- source_labels: [__name__, device]
separator: ';'
regex: '^container_fs\w+;overlay.+'
action: drop
- job_name: 'exporter'
honor_labels: true
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace]
action: keep
regex: tsg-os-system
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow]
action: drop
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: (.+?)(?::\d+)?;(\d+)
replacement: $1:$2
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: service
metric_relabel_configs:
- source_labels: [app]
action: replace
target_label: serviceFunctionIndex
regex: (sapp4|tfe|shaping|sce)(-|_)(.*)
replacement: $3
- source_labels: [__name__, device]
separator: ';'
regex: '^node\w+;(lo|usb\d+|cnibr\d+|docker\d+|br_dign_[sc]|virtio_dign_[sc]|veth\w+)'
action: drop
- source_labels: [__name__, type]
separator: ';'
regex: '^systemd\w+;(scope|mount|device|slice)'
action: drop
- regex: image_id
action: labeldrop
- regex: container_id
action: labeldrop
- regex: uid
action: labeldrop
- regex: image_spec
action: labeldrop
- source_labels: [mountpoint]
separator: ';'
regex: '(.+k3s/containerd.+|.+kubelet/pods.+)'
action: drop
- regex: instance
action: labeldrop
- job_name: 'traffic-engine'
honor_labels: true
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_namespace]
action: keep
regex: default
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow]
action: drop
regex: true
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: (.+?)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: serviceFunction
regex: (.*)-(firewall|proxy|shaping|sce)-([a-z0-9]+)-([a-z0-9]+)
replacement: $1
- source_labels: [__meta_kubernetes_pod_label_vsysId]
action: replace
target_label: vsysId
regex: (.+)
- source_labels: [__meta_kubernetes_pod_label_component]
action: replace
target_label: component
regex: (.+)
- source_labels: [__meta_kubernetes_pod_phase]
regex: Pending|Succeeded|Failed|Completed
action: drop
metric_relabel_configs:
- regex: instance
action: labeldrop

6
helmcharts/systemd-exporter/build.mk Normal file
View File

@@ -0,0 +1,6 @@
rule_target := systemd-exporter
rule_prerequisites :=
define rule_recipes
$(call build_helmchart_package,$(rule_target),0.1.0,0.1.0)
$(call copy_manifest,$(rule_target))
endef

12
helmcharts/systemd-exporter/files/systemd-exporter-crd.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: systemd-exporter
namespace: kube-system
spec:
chart: https://%{KUBERNETES_API}%/static/charts/systemd-exporter-0.1.0.tgz
targetNamespace: tsg-os-system
valuesContent: |-
service:
annotations:
prometheus.io/scrape: "true"

24
helmcharts/systemd-exporter/helm/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v2
name: systemd-exporter
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

62
helmcharts/systemd-exporter/helm/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "systemd-exporter.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "systemd-exporter.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "systemd-exporter.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "systemd-exporter.labels" -}}
helm.sh/chart: {{ include "systemd-exporter.chart" . }}
{{ include "systemd-exporter.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "systemd-exporter.selectorLabels" -}}
app.kubernetes.io/name: {{ include "systemd-exporter.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "systemd-exporter.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "systemd-exporter.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

33
helmcharts/systemd-exporter/helm/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: systemd-exporter
name: systemd-exporter
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: systemd-exporter
strategy:
type: Recreate
template:
metadata:
labels:
app: systemd-exporter
spec:
hostNetwork: true
containers:
- env:
- name: MERGER_URLS
value: {{ .Values.exporter.urls }}
- name: MERGER_PORT
value: "{{ .Values.exporter.port }}"
image: "{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}"
imagePullPolicy: {{ .Values.exporter.image.pullPolicy }}
name: exporter
ports:
- name: ex-systemd-port
containerPort: {{ .Values.exporter.port }}
protocol: TCP

24
helmcharts/systemd-exporter/helm/templates/service.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: systemd-exporter
name: systemd-exporter
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: systemd-exporter-port
{{- if .Values.service.nodePort }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
port: {{ .Values.service.port }}
targetPort: ex-systemd-port
selector:
app: systemd-exporter
type: {{ .Values.service.type }}

13
helmcharts/systemd-exporter/helm/values.yaml Normal file
View File

@@ -0,0 +1,13 @@
exporter:
image:
repository: quay.io/rebuy/exporter-merger
pullPolicy: Never
tag: "v0.2.0"
port: "9008"
urls: "http://127.0.0.1:9558/metrics"
service:
type: ClusterIP
# nodePort: "30081"
port: "9008"
annotations: {}

3
helmcharts/traffic-engine/build.mk Normal file
View File

@@ -0,0 +1,3 @@
rule_target := traffic-engine
rule_prerequisites :=
rule_recipes := $(call build_helmchart_package,$(rule_target),$(VERSION),$(APP_VERSION))

23
helmcharts/traffic-engine/helm/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
helmcharts/traffic-engine/helm/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v2
name: traffic-engine
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

0
helmcharts/traffic-engine/helm/charts/.gitkeep Normal file
View File

82
helmcharts/traffic-engine/helm/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,82 @@
{{/*
The volumes related to "mrzcpd".
The volumes will be mounted by "traffic-engine.mount.mrzcpd".
*/}}
{{- define "traffic-engine.volume.mrzcpd" -}}
- name: opt-tsg-mrzcpd
hostPath:
path: /opt/tsg/mrzcpd
- name: var-run-mrzcpd
hostPath:
path: /var/run/mrzcpd
- name: var-run-dpdk
hostPath:
path: /var/run/dpdk
- name: profile-mrzcpd
hostPath:
path: /etc/profile.d/mrzcpd.sh
type: File
- name: ldconfig-mrzcpd
hostPath:
path: /etc/ld.so.conf.d/mrzcpd.conf
type: File
{{- end -}}
{{/*
The volumeMounts related to "mrzcpd".
Requires "traffic-engine.volume.mrzcpd"
*/}}
{{- define "traffic-engine.mount.mrzcpd" -}}
- name: opt-tsg-mrzcpd
mountPath: /opt/tsg/mrzcpd
mountPropagation: HostToContainer
readOnly: false
- name: var-run-mrzcpd
mountPath: /var/run/mrzcpd
readOnly: false
- name: var-run-dpdk
mountPath: /var/run/dpdk
readOnly: false
- name: profile-mrzcpd
mountPath: /etc/profile.d/mrzcpd.sh
readOnly: true
- name: ldconfig-mrzcpd
mountPath: /etc/ld.so.conf.d/mrzcpd.conf
readOnly: true
{{- end -}}
{{- define "public.sync-host-timezone.volume" -}}
- name: localtime-volume
hostPath:
path: /etc/localtime
{{- end -}}
{{- define "public.sync-host-timezone.volume-mount" -}}
- name: localtime-volume
mountPath: /etc/localtime
readOnly: true
{{- end -}}
{{- define "public.license-support.dev-shm-volume" -}}
- name: dev-shm-volume
hostPath:
path: /dev/shm
{{- end -}}
{{- define "public.license-support.dev-shm-volume-mount" -}}
- name: dev-shm-volume
mountPath: /dev/shm
{{- end -}}
{{- define "public.license-support.dev-bus-usb-volume" -}}
- name: dev-bus-usb-node
hostPath:
path: /dev/bus/usb
{{- end -}}
{{- define "public.license-support.dev-bus-usb-volume-mount" -}}
- name: dev-bus-usb-node
mountPath: /dev/bus/usb
readOnly: true
{{- end -}}

11
helmcharts/traffic-engine/helm/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
name: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources: ["services", "nodes"]
verbs: ["get", "list", "watch"]

15
helmcharts/traffic-engine/helm/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
name: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}

59
helmcharts/traffic-engine/helm/templates/configmap-firewall.yaml Normal file
View File

@@ -0,0 +1,59 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: firewall-{{ .Release.Name }}
namespace: default
data:
values.yaml: |
app_symbol_index: {{ .Values.app_symbol_index }}
appsketch:
{{ toYaml .Values.appsketch | indent 6 }}
decoders:
{{ toYaml .Values.decoders | indent 6 }}
device:
{{ toYaml .Values.device | indent 6 }}
dos_protector:
{{ toYaml .Values.dos_protector | indent 6 }}
etherfabric_settings:
{{ toYaml .Values.etherfabric_settings | indent 6 }}
external_resources:
{{ toYaml .Values.external_resources | indent 6 }}
file_stream_record:
{{ toYaml .Values.file_stream_record | indent 6 }}
firewall:
{{ toYaml .Values.firewall | indent 6 }}
nic_mirror_name:
firewall: {{ .Values.nic_mirror_name.firewall | default "" }}
nic_raw_name: {{ .Values.nic_raw_name }}
overload_protection:
{{ toYaml .Values.overload_protection | indent 6 }}
packet_capture:
{{ toYaml .Values.packet_capture | indent 6 }}
policy_sketch:
{{ toYaml .Values.policy_sketch | indent 6 }}
sapp_affinity:
{{ toYaml .Values.sapp_affinity | indent 4 }}
session_flags:
{{ toYaml .Values.session_flags | indent 6 }}
session_id_generator:
{{ toYaml .Values.session_id_generator | indent 6 }}
session_manager:
{{ toYaml .Values.session_manager | indent 6 }}
session_record:
{{ toYaml .Values.session_record | indent 6 }}
sid:
inject_adapter: {{ .Values.sid.inject_adapter }}
proxy: {{ .Values.sid.proxy }}
sce: {{ .Values.sid.sce }}
shaping: {{ .Values.sid.shaping }}
stat_policy_enforcer:
{{ toYaml .Values.stat_policy_enforcer | indent 6 }}
traffic_mirror:
enable_raw_traffic: {{ .Values.traffic_mirror.enable_raw_traffic }}
traffic_sketch:
{{ toYaml .Values.traffic_sketch | indent 6 }}
transaction_record:
{{ toYaml .Values.transaction_record | indent 6 }}
voip_record:
{{ toYaml .Values.voip_record | indent 6 }}
vsys_id: {{ .Values.vsys_id }}

35
helmcharts/traffic-engine/helm/templates/configmap-proxy.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if and .Values.proxy.enable (ge (len .Values.tfe_affinity) 1) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: proxy-{{ .Release.Name }}
namespace: default
data:
values.yaml: |
app_symbol_index: {{ .Values.app_symbol_index }}
device:
{{ toYaml .Values.device | indent 6 }}
distmode: {{ .Values.distmode }}
external_resources:
cm:
{{ toYaml .Values.external_resources.cm | indent 8 }}
olap:
kafka_brokers:
{{ toYaml .Values.external_resources.olap.kafka_brokers | indent 10 }}
nic_mirror_name:
proxy: {{ .Values.nic_mirror_name.proxy }}
pktio_affinity:
{{ toYaml .Values.pktio_affinity | indent 4 }}
proxy_config:
{{ toYaml .Values.proxy_config | indent 6 }}
sid:
firewall: {{ .Values.sid.firewall }}
proxy: {{ .Values.sid.proxy }}
sce: {{ .Values.sid.sce }}
tfe_affinity:
{{ toYaml .Values.tfe_affinity | indent 4 }}
tfe_rps_mask: {{ .Values.tfe_rps_mask }}
traffic_mirror:
enable_decrypted_traffic: {{ .Values.traffic_mirror.enable_decrypted_traffic }}
vsys_id: {{ .Values.vsys_id }}
{{- end }}

25
helmcharts/traffic-engine/helm/templates/configmap-sce.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.service_chaining.enable }}
apiVersion: v1
kind: ConfigMap
metadata:
name: sce-{{ .Release.Name }}
namespace: default
data:
values.yaml: |
app_symbol_index: {{ .Values.app_symbol_index }}
device:
{{ toYaml .Values.device | indent 6 }}
external_resources:
cm:
{{ toYaml .Values.external_resources.cm | indent 8 }}
olap:
kafka_brokers:
{{ toYaml .Values.external_resources.olap.kafka_brokers | indent 10 }}
sce_affinity:
{{ toYaml .Values.sce_affinity | indent 4 }}
sce_config:
{{ toYaml .Values.sce_config | indent 6 }}
sid:
firewall: {{ .Values.sid.firewall }}
vsys_id: {{ .Values.vsys_id }}
{{- end }}

25
helmcharts/traffic-engine/helm/templates/configmap-shaping.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.shaping.enable }}
apiVersion: v1
kind: ConfigMap
metadata:
name: shaping-{{ .Release.Name }}
namespace: default
data:
values.yaml: |
app_symbol_index: {{ .Values.app_symbol_index }}
device:
{{ toYaml .Values.device | indent 6 }}
external_resources:
cm:
{{ toYaml .Values.external_resources.cm | indent 8 }}
olap:
kafka_brokers:
{{ toYaml .Values.external_resources.olap.kafka_brokers | indent 10 }}
shaping_affinity:
{{ toYaml .Values.shaping_affinity | indent 4 }}
shaping_config:
{{ toYaml .Values.shaping_config | indent 6 }}
sid:
firewall: {{ .Values.sid.firewall }}
vsys_id: {{ .Values.vsys_id }}
{{- end }}

212
helmcharts/traffic-engine/helm/templates/deployment-firewall.yaml Normal file
View File

@@ -0,0 +1,212 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-firewall
labels:
app: {{ .Release.Name }}
component: firewall
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-firewall
strategy:
type: Recreate
template:
metadata:
labels:
app: {{ .Release.Name }}-firewall
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
component: firewall
{{- if .Values.dos_protector.enable }}
dynamic-hostports: '8551.8552'
{{- end }}
annotations:
prometheus.io/port: "9010"
prometheus.io/scrape: "true"
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: {{ .Release.Name }}
containers:
- name: firewall
image: "registry.gdnt-cloud.website/tsg/os/firewall:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/sapp
command:
- "bash"
- "-ec"
- |
/usr/local/bin/entrypoint.sh \
{{- if .Values.dos_protector.enable }}
--enable_dos_protector \
{{- end }}
{{- if .Values.debug.firewall.enable_prestart_script }}
--enable_prestart \
{{- end }}
{{- if .Values.debug.firewall.enable_interactive_startup }}
--enable_interactive_startup \
{{- end }}
|| echo "Failed to start."
ports:
- containerPort: 51218
{{- if .Values.dos_protector.enable }}
- containerPort: 8551
- containerPort: 8552
{{- end }}
env:
- name: DEPLOYMENT_NAME
value: {{ .Release.Name }}-firewall
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: true
{{- if .Values.debug.firewall.enable_liveness_probe }}
livenessProbe:
tcpSocket:
port: 51218
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 51218
failureThreshold: 90
periodSeconds: 10
{{- end }}
volumeMounts:
- name: journal-volume
mountPath: /run/systemd/journal
- name: firewall-configs-volume
mountPath: "/templates/values.yaml"
subPath: "values.yaml"
- name: firewall-log
mountPath: /opt/tsg/sapp/log
- name: metrics-json-dir
mountPath: "/opt/tsg/sapp/metrics"
{{- if .Values.debug.firewall.enable_prestart_script }}
- name: prestart-dir
mountPath: /tmp/prestart
- name: firewall-prestart
mountPath: /opt/tsg/scripts/prestart.sh
{{- end }}
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
{{- if .Values.debug.firewall.enable_mount_host_filesystem }}
- name: host-root
mountPath: /host
{{- end }}
{{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }}
{{- include "public.license-support.dev-bus-usb-volume-mount" . | nindent 8 }}
{{- include "public.license-support.dev-shm-volume-mount" . | nindent 8 }}
- name: fieldstat-exporter
image: "registry.gdnt-cloud.website/tsg/os/firewall:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
ldconfig
python3 /opt/tsg/framework/bin/fieldstat_exporter.py prometheus -p 9010 -d /opt/tsg/sapp/metrics
ports:
- containerPort: 9010
securityContext:
privileged: true
livenessProbe:
tcpSocket:
port: 9010
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 9010
failureThreshold: 5
periodSeconds: 10
volumeMounts:
- name: metrics-json-dir
mountPath: "/opt/tsg/sapp/metrics"
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
initContainers:
- name: init-default-svc
image: "registry.gdnt-cloud.website/tsg/os/firewall:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done
- name: init-packet-io-engine-ready
image: "registry.gdnt-cloud.website/tsg/os/firewall:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
volumes:
- name: journal-volume
hostPath:
path: /run/systemd/journal
type: Directory
- name: firewall-configs-volume
configMap:
name: firewall-{{ .Release.Name }}
- name: metrics-json-dir
emptyDir: {}
- name: firewall-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/sapp/
{{- if .Values.debug.firewall.enable_prestart_script }}
- name: prestart-dir
hostPath:
path: /etc/tsg-os/{{ .Release.Name }}/
type: DirectoryOrCreate
- name: firewall-prestart
hostPath:
{{- if .Values.debug.firewall.prestart_script }}
path: {{ .Values.debug.firewall.prestart_script }}
{{- else }}
path: /etc/tsg-os/{{ .Release.Name }}/firewall_prestart_script.sh
{{- end }}
type: FileOrCreate
{{- end }}
{{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }}
{{- include "public.sync-host-timezone.volume" . | nindent 6 }}
{{- if .Values.debug.firewall.enable_mount_host_filesystem }}
- name: host-root
hostPath:
path: /
{{- end }}
{{- include "public.license-support.dev-bus-usb-volume" . | nindent 6 }}
{{- include "public.license-support.dev-shm-volume" . | nindent 6 }}

329
helmcharts/traffic-engine/helm/templates/deployment-proxy.yaml Normal file
View File

@@ -0,0 +1,329 @@
{{- if and .Values.proxy.enable (ge (len .Values.tfe_affinity) 1) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-proxy
labels:
app: {{ .Release.Name }}
component: proxy
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-proxy
strategy:
type: Recreate
template:
metadata:
labels:
app: {{ .Release.Name }}-proxy
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
component: proxy
annotations:
prometheus.io/port: "9003"
prometheus.io/scrape: "true"
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: {{ .Release.Name }}
containers:
- name: proxy
image: "registry.gdnt-cloud.website/tsg/os/proxy:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/tfe
command:
- "bash"
- "-ec"
- |
/usr/local/bin/entrypoint.sh \
{{- if .Values.debug.proxy.enable_prestart_script }}
--enable_prestart \
{{- end }}
{{- if .Values.debug.proxy.enable_interactive_startup }}
--enable_interactive_startup \
{{- end }}
|| echo "Failed to start."
ports:
- containerPort: 9001
env:
- name: DEPLOYMENT_NAME
value: {{ .Release.Name }}-proxy
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: true
{{- if .Values.debug.proxy.enable_liveness_probe }}
livenessProbe:
tcpSocket:
port: 9001
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 9001
failureThreshold: 30
periodSeconds: 10
{{- end }}
volumeMounts:
- name: journal-volume
mountPath: /run/systemd/journal
- name: proxy-configs-volume
mountPath: "/templates/values.yaml"
subPath: "values.yaml"
- name: proxy-log
mountPath: /opt/tsg/tfe/log
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
{{- if .Values.debug.proxy.enable_prestart_script }}
- name: prestart-dir
mountPath: /tmp/prestart
- name: proxy-prestart
mountPath: /opt/tsg/scripts/prestart.sh
{{- end }}
{{- if .Values.debug.proxy.enable_mount_host_filesystem }}
- name: host-root
mountPath: /host
{{- end }}
{{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }}
{{- include "public.license-support.dev-bus-usb-volume-mount" . | nindent 8 }}
- name: certstore
image: "registry.gdnt-cloud.website/tsg/os/proxy-certstore:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/certstore
command:
- "bash"
- "-ec"
- |
/usr/local/bin/entrypoint.sh || echo "Failed to start."
securityContext:
privileged: true
ports:
- containerPort: 9002
env:
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: proxy-configs-volume
mountPath: "/templates/values.yaml"
subPath: "values.yaml"
- name: certstore-log
mountPath: /opt/tsg/certstore/logs
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
- name: cert-redis
image: "registry.gdnt-cloud.website/tsg/os/proxy-certstore:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command: ["/usr/bin/redis-server", "/etc/cert-redis.conf"]
securityContext:
privileged: true
volumeMounts:
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
- name: merged-exporter
image: "quay.io/rebuy/exporter-merger:v0.2.0"
imagePullPolicy: Never
env:
- name: MERGER_URLS
value: http://127.0.0.1:9001/metrics http://127.0.0.1:9002/metrics
- name: MERGER_PORT
value: "9003"
ports:
- containerPort: 9003
initContainers:
- name: init-default-svc
image: "registry.gdnt-cloud.website/tsg/os/proxy:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done
- name: init-packet-io-engine-ready
image: "registry.gdnt-cloud.website/tsg/os/proxy:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: proxy-init
image: "registry.gdnt-cloud.website/tsg/os/proxy:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ecx"
- |
mount -o remount,rw /sys
# disable rpfilter
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
# fs
sysctl -w fs.file-max=1048576
sysctl -w net.core.somaxconn=131072
# tcp options about TIME_WAIT
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_max_tw_buckets=4096
sysctl -w net.ipv4.tcp_max_syn_backlog=131072
# bbr
sysctl -w net.ipv4.tcp_congestion_control=bbr
# tcp feature
sysctl -w net.ipv4.tcp_ecn=0
sysctl -w net.ipv4.tcp_sack=1
sysctl -w net.ipv4.tcp_timestamps=1
# disable tcp windows scaling for kernel bugs
sysctl -w net.ipv4.tcp_window_scaling=0
ip tuntap add dev tap0 mode tap multi_queue
/usr/sbin/ip link set tap0 address fe:65:b7:03:50:bd
/usr/sbin/ip link set tap0 up
/usr/sbin/ip addr flush dev tap0
/usr/sbin/ip addr add 172.16.241.2/30 dev tap0
/usr/sbin/ip neigh flush dev tap0
/usr/sbin/ip neigh add 172.16.241.1 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent
/usr/sbin/ip6tables -A INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/iptables -A INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/ip rule add iif tap0 tab 100
/usr/sbin/ip route add local default dev lo table 100
/usr/sbin/ip rule add fwmark 0x65 lookup 101
/usr/sbin/ip route add default dev tap0 via 172.16.241.1 table 101
/usr/sbin/ip addr add fd00::02/64 dev tap0
/usr/sbin/ip -6 route add default via fd00::01
/usr/sbin/ip -6 rule add iif tap0 tab 102
/usr/sbin/ip -6 route add local default dev lo table 102
/usr/sbin/ip -6 neigh add fd00::01 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent
#decrypted traffic steering
/usr/sbin/ip tuntap add dev tap_c mode tap multi_queue
/usr/sbin/ip tuntap add dev tap_s mode tap multi_queue
/usr/sbin/ip link set tap_c address 80:61:5f:0f:97:e5
/usr/sbin/ip link set tap_s address 80:61:5f:0f:97:e6
/usr/sbin/ip link set tap_c up
/usr/sbin/ip link set tap_s up
/usr/sbin/ethtool --offload tap_c rx off tx off
/usr/sbin/ethtool --offload tap_s rx off tx off
/usr/sbin/ip link set tap_c up
/usr/sbin/ip link set tap_s up
/usr/sbin/ip addr flush dev tap_c
/usr/sbin/ip addr flush dev tap_s
/usr/sbin/ip addr add 2.2.2.2/24 dev tap_c
/usr/sbin/ip addr add 3.3.3.3/24 dev tap_s
/usr/sbin/ip -4 neigh flush dev tap_c
/usr/sbin/ip -4 neigh flush dev tap_s
/usr/sbin/ip -4 neigh add 2.2.2.1 lladdr 80:61:5f:0f:97:e6 dev tap_c nud permanent
/usr/sbin/ip -4 neigh add 3.3.3.1 lladdr 80:61:5f:0f:97:e5 dev tap_s nud permanent
/usr/sbin/ip -4 rule add fwmark 0x11 lookup 111
/usr/sbin/ip -4 rule add fwmark 0x22 lookup 222
/usr/sbin/ip -4 route add default dev tap_c via 2.2.2.1 table 111
/usr/sbin/ip -4 route add default dev tap_s via 3.3.3.1 table 222
/usr/sbin/ip -4 rule add iif tap_c tab 100
/usr/sbin/ip -4 rule add iif tap_s tab 100
/usr/sbin/ip addr add fd02::02/64 dev tap_c
/usr/sbin/ip addr add fd03::03/64 dev tap_s
/usr/sbin/ip -6 neigh flush dev tap_c
/usr/sbin/ip -6 neigh flush dev tap_s
/usr/sbin/ip -6 neigh add fd02::01 lladdr 80:61:5f:0f:97:e6 dev tap_c nud permanent
/usr/sbin/ip -6 neigh add fd03::01 lladdr 80:61:5f:0f:97:e5 dev tap_s nud permanent
/usr/sbin/ip -6 rule add fwmark 0x11 lookup 333
/usr/sbin/ip -6 rule add fwmark 0x22 lookup 444
/usr/sbin/ip -6 route add default dev tap_c via fd02::01 table 333
/usr/sbin/ip -6 route add default dev tap_s via fd03::01 table 444
/usr/sbin/ip -6 rule add iif tap_c tab 102
/usr/sbin/ip -6 rule add iif tap_s tab 102
securityContext:
privileged: true
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
volumes:
- name: journal-volume
hostPath:
path: /run/systemd/journal
type: Directory
- name: proxy-configs-volume
configMap:
name: proxy-{{ .Release.Name }}
- name: proxy-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/tfe/
- name: certstore-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/certstore/
{{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }}
{{- include "public.sync-host-timezone.volume" . | nindent 6 }}
{{- if .Values.debug.proxy.enable_prestart_script }}
- name: prestart-dir
hostPath:
path: /etc/tsg-os/{{ .Release.Name }}/
type: DirectoryOrCreate
- name: proxy-prestart
hostPath:
{{- if .Values.debug.proxy.prestart_script }}
path: {{ .Values.debug.proxy.prestart_script }}
{{- else }}
path: /etc/tsg-os/{{ .Release.Name }}/proxy_prestart_script.sh
{{- end }}
type: FileOrCreate
{{- end }}
{{- if .Values.debug.proxy.enable_mount_host_filesystem }}
- name: host-root
hostPath:
path: /
{{- end }}
{{- include "public.license-support.dev-bus-usb-volume" . | nindent 6 }}
{{- end }}

234
helmcharts/traffic-engine/helm/templates/deployment-sce.yaml Normal file
View File

@@ -0,0 +1,234 @@
{{- if .Values.service_chaining.enable }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-sce
labels:
app: {{ .Release.Name }}
component: service-chaining
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-service-chaining
strategy:
type: Recreate
template:
metadata:
labels:
app: {{ .Release.Name }}-service-chaining
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
component: service-chaining
annotations:
prometheus.io/port: "9006"
prometheus.io/scrape: "true"
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: {{ .Release.Name }}
containers:
- name: sce
image: "registry.gdnt-cloud.website/tsg/os/sce:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/sce
command:
- "bash"
- "-ec"
- |
/usr/local/bin/entrypoint.sh \
{{- if .Values.debug.service_chaining.enable_prestart_script }}
--enable_prestart \
{{- end }}
{{- if .Values.debug.service_chaining.enable_interactive_startup }}
--enable_interactive_startup \
{{- end }}
|| echo "Failed to start."
ports:
- containerPort: 9006
env:
- name: DEPLOYMENT_NAME
value: {{ .Release.Name }}-service-chaining
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: true
{{- if .Values.debug.service_chaining.enable_liveness_probe }}
livenessProbe:
tcpSocket:
port: 9006
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 9006
failureThreshold: 30
periodSeconds: 10
{{- end }}
volumeMounts:
- name: journal-volume
mountPath: /run/systemd/journal
- name: sce-configs-volume
mountPath: "/templates/values.yaml"
subPath: "values.yaml"
- name: sce-log
mountPath: /opt/tsg/sce/log
- name: bfdd-unix-socket
mountPath: /run/frr
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
{{- if .Values.debug.service_chaining.enable_prestart_script }}
- name: prestart-dir
mountPath: /tmp/prestart
- name: service-chaining-prestart
mountPath: /opt/tsg/scripts/prestart.sh
{{- end }}
{{- if .Values.debug.service_chaining.enable_mount_host_filesystem }}
- name: host-root
mountPath: /host
{{- end }}
{{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }}
- name: bfdd
image: "registry.gdnt-cloud.website/tsg/os/sce-bfdd:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/bfdd
command:
- "bash"
- "-ec"
- |
/usr/local/bin/entrypoint.sh
env:
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: true
volumeMounts:
- name: bfdd-log
mountPath: /opt/tsg/bfdd/log
- name: bfdd-unix-socket
mountPath: /run/frr
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
initContainers:
- name: init-default-svc
image: "registry.gdnt-cloud.website/tsg/os/sce:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done
- name: init-packet-io-engine-ready
image: "registry.gdnt-cloud.website/tsg/os/sce:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: service-chaining-init
image: "registry.gdnt-cloud.website/tsg/os/sce:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ecx"
- |
{{- if .Values.sce_config.vxlan_config.endpoint_nic }}
ip tuntap add dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} mode tap
ip link set dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} up
ip route add {{ .Values.sce_config.vxlan_config.endpoint_netip }}/{{ .Values.sce_config.vxlan_config.endpoint_mask }} dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} table 10
{{- if .Values.sce_config.vxlan_config.endpoint_gateway }}
ip route add default via {{ .Values.sce_config.vxlan_config.endpoint_gateway }} table 10
{{- end }}
ip a a {{ .Values.sce_config.vxlan_config.endpoint_ip }}/{{ .Values.sce_config.vxlan_config.endpoint_mask }} dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} noprefixroute
ip rule add dport 3784 table 10
iptables -t mangle -A PREROUTING -p udp --dport 3784 -j TTL --ttl-set 255
{{- end }}
securityContext:
privileged: true
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
volumes:
- name: journal-volume
hostPath:
path: /run/systemd/journal
type: Directory
- name: sce-configs-volume
configMap:
name: sce-{{ .Release.Name }}
- name: sce-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/sce/
- name: bfdd-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/bfdd/
- name: bfdd-unix-socket
emptyDir: {}
{{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }}
{{- include "public.sync-host-timezone.volume" . | nindent 6 }}
{{- if .Values.debug.service_chaining.enable_prestart_script }}
- name: prestart-dir
hostPath:
path: /etc/tsg-os/{{ .Release.Name }}/
type: DirectoryOrCreate
- name: service-chaining-prestart
hostPath:
{{- if .Values.debug.service_chaining.prestart_script }}
path: {{ .Values.debug.service_chaining.prestart_script }}
{{- else }}
path: /etc/tsg-os/{{ .Release.Name }}/service_chaining_prestart_script.sh
{{- end }}
type: FileOrCreate
{{- end }}
{{- if .Values.debug.service_chaining.enable_mount_host_filesystem }}
- name: host-root
hostPath:
path: /
{{- end }}
{{- end }}

206
helmcharts/traffic-engine/helm/templates/deployment-shaping.yaml Normal file
View File

@@ -0,0 +1,206 @@
{{- if .Values.shaping.enable }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-shaping
labels:
app: {{ .Release.Name }}
component: shaping
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}-shaping
strategy:
type: Recreate
template:
metadata:
labels:
app: {{ .Release.Name }}-shaping
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
component: shaping
dynamic-hostports: '8551.8552'
annotations:
prometheus.io/port: "9007"
prometheus.io/scrape: "true"
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: {{ .Release.Name }}
containers:
- name: shaping
image: "registry.gdnt-cloud.website/tsg/os/shaping:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
workingDir: /opt/tsg/shaping_engine
command:
- "bash"
- "-ec"
- |
/usr/local/bin/entrypoint.sh \
{{- if .Values.debug.shaping.enable_prestart_script }}
--enable_prestart \
{{- end }}
{{- if .Values.debug.shaping.enable_interactive_startup }}
--enable_interactive_startup \
{{- end }}
|| echo "Failed to start."
ports:
- containerPort: 8551
- containerPort: 8552
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: DEPLOYMENT_NAME
value: {{ .Release.Name }}-shaping
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: MRZCPD_CTRLMSG_LISTEN_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVERRIDE_SLED_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if .Values.debug.shaping.enable_liveness_probe }}
livenessProbe:
tcpSocket:
port: 8552
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 8552
failureThreshold: 30
periodSeconds: 10
{{- end }}
securityContext:
privileged: true
volumeMounts:
- name: journal-volume
mountPath: /run/systemd/journal
- name: shaping-configs-volume
mountPath: "/templates/values.yaml"
subPath: "values.yaml"
- name: shaping-log
mountPath: /opt/tsg/shaping_engine/log
- name: metrics-json-dir
mountPath: "/opt/tsg/shaping_engine/metric"
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
{{- if .Values.debug.shaping.enable_prestart_script }}
- name: prestart-dir
mountPath: /tmp/prestart
- name: shaping-prestart
mountPath: /opt/tsg/scripts/prestart.sh
{{- end }}
{{- if .Values.debug.shaping.enable_mount_host_filesystem }}
- name: host-root
mountPath: /host
{{- end }}
{{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }}
- name: fieldstat-exporter
image: "registry.gdnt-cloud.website/tsg/os/shaping:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
ldconfig
python3 /opt/tsg/framework/bin/fieldstat_exporter.py prometheus -p 9007 -d /opt/tsg/shaping_engine/metric
ports:
- containerPort: 9007
securityContext:
privileged: true
livenessProbe:
tcpSocket:
port: 9007
failureThreshold: 1
timeoutSeconds: 10
startupProbe:
tcpSocket:
port: 9007
failureThreshold: 5
periodSeconds: 10
volumeMounts:
- name: metrics-json-dir
mountPath: "/opt/tsg/shaping_engine/metric"
{{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }}
initContainers:
- name: init-default-svc
image: "registry.gdnt-cloud.website/tsg/os/shaping:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done
- name: init-packet-io-engine-ready
image: "registry.gdnt-cloud.website/tsg/os/shaping:{{ .Chart.AppVersion }}"
imagePullPolicy: Never
command:
- "bash"
- "-ec"
- |
until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
volumes:
- name: journal-volume
hostPath:
path: /run/systemd/journal
type: Directory
- name: shaping-configs-volume
configMap:
name: shaping-{{ .Release.Name }}
- name: metrics-json-dir
emptyDir: {}
- name: shaping-log
hostPath:
path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/shaping_engine/
{{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }}
{{- include "public.sync-host-timezone.volume" . | nindent 6 }}
{{- if .Values.debug.shaping.enable_prestart_script }}
- name: prestart-dir
hostPath:
path: /etc/tsg-os/{{ .Release.Name }}/
type: DirectoryOrCreate
- name: shaping-prestart
hostPath:
{{- if .Values.debug.shaping.prestart_script }}
path: {{ .Values.debug.shaping.prestart_script }}
{{- else }}
path: /etc/tsg-os/{{ .Release.Name }}/shaping_prestart_script.sh
{{- end }}
type: FileOrCreate
{{- end }}
{{- if .Values.debug.shaping.enable_mount_host_filesystem }}
- name: host-root
hostPath:
path: /
{{- end }}
{{- end }}

8
helmcharts/traffic-engine/helm/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
vsysId: "{{ .Values.vsys_id }}"
serviceFunction: {{ .Release.Name }}
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}

Some files were not shown because too many files have changed in this diff Show More