gfwleak/tsg-tsg-os-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature: delete ansible role bfdd,certstore,container-tools-install,firewall,framework,http_healthcheck,redis,sapp,sce,shaping_engine,tfe,tsg-cm

Browse Source
This commit is contained in:
fumingwei
2024-10-24 11:57:22 +08:00
parent 6e9097ef4b
commit 60183d1a77
68 changed files with 0 additions and 3372 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
ansible/HAL_deploy.yml
View File

@@ -27,72 +27,3 @@
- {role: patches-9000-NPB, tags: patches-9000-NPB}
- {role: tsg-os-oobc, tags: tsg-os-oobc}
- {role: tsg-os-logfile-cleaner, tags: tsg-os-logfile-cleaner}
- hosts: x86_64_COTS-firewall
remote_user: root
vars_files:
- install_config/group_vars/HAL_x86_64_COTS.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: framework, tags: framework}
- {role: sapp, tags: sapp}
- {role: firewall, tags: firewall}
- {role: http_healthcheck, tags: http_healthcheck}
- {role: hasp, tags: hasp}
- hosts: x86_64_COTS-proxy
remote_user: root
vars_files:
- install_config/group_vars/HAL_x86_64_COTS.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: framework, tags: framework}
- {role: tfe, tags: tfe}
- {role: hasp, tags: hasp}
- hosts: x86_64_COTS-certstore
remote_user: root
vars_files:
- install_config/group_vars/HAL_x86_64_COTS.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: framework, tags: framework}
- {role: redis, tags: redis}
- {role: certstore, tags: certstore}
- hosts: x86_64_COTS-sce
remote_user: root
vars_files:
- install_config/group_vars/HAL_x86_64_COTS.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: framework, tags: framework}
- {role: sce, tags: sce}
- {role: hasp, tags: hasp}
- hosts: x86_64_COTS-bfdd
remote_user: root
vars_files:
- install_config/group_vars/HAL_x86_64_COTS.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: framework, tags: framework}
- {role: bfdd, tags: bfdd}
- hosts: x86_64_COTS-shaping
remote_user: root
vars_files:
- install_config/group_vars/HAL_x86_64_COTS.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: framework, tags: framework}
- {role: shaping_engine, tags: shaping_engine}
- hosts: x86_64_COTS-base
remote_user: root
vars_files:
- install_config/group_vars/HAL_x86_64_COTS.yml
- install_config/group_vars/rpm_version.yml
roles:
- {role: container-tools-install, tags: container-tools-install}

BIN
ansible/roles/bfdd/files/bfdd-1.1.1-release.x86_64.rpm
View File

Binary file not shown.

BIN
ansible/roles/bfdd/files/libyang2-2.0.7-1.el8.x86_64.rpm
View File

Binary file not shown.

39
ansible/roles/bfdd/tasks/main.yml
View File

@@ -1,39 +0,0 @@
---
- name: "install pcre2"
yum:
name: pcre2
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "temp: copy libyang rpm to dest"
copy:
src: "{{ role_path }}/files/libyang2-2.0.7-1.el8.x86_64.rpm"
dest: /tmp
- name: "install libyang2"
yum:
name:
- /tmp/libyang2-2.0.7-1.el8.x86_64.rpm
state: present
disable_gpg_check: yes
- name: "download rpm packages: bfdd"
yum:
name:
- "{{ bfdd_rpm_version.bfdd }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Get bfdd rpm path"
find:
path: /tmp/rpm_download/
pattern: "{{ bfdd_rpm_version.bfdd }}*"
register: bfdd_rpm_fullname
- name: "Install bfdd from local path"
yum:
name: "{{ bfdd_rpm_fullname.files[0].path }}"
state: present
disable_gpg_check: yes

1052
ansible/roles/certstore/files/cert-redis.conf
View File

File diff suppressed because it is too large Load Diff

12
ansible/roles/certstore/files/cert-redis.service
View File

@@ -1,12 +0,0 @@
[Unit]
Description=Redis persistent key-value database
After=network.target
[Service]
ExecStart=/usr/bin/redis-server /etc/cert-redis.conf --supervised systemd
ExecStop=/usr/libexec/redis-shutdown cert-redis
Type=notify
[Install]
WantedBy=multi-user.target

3
ansible/roles/certstore/meta/main.yml
View File

@@ -1,3 +0,0 @@
---
dependencies:
- role: redis

112
ansible/roles/certstore/tasks/main.yml
View File

@@ -1,112 +0,0 @@
- name: Ensures /opt/tsg exists
file: path=/opt/tsg state=directory
tags: mkdir
#- name: "Install certstore"
# shell: rpm -i /tmp/rpm_download/{{ certstore_rpm_version.certstore }}*
- name: "download rpm packages: certstore"
yum:
name:
- "{{ certstore_rpm_version.certstore }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Get certstore rpm path"
find:
path: /tmp/rpm_download/
pattern: "{{ certstore_rpm_version.certstore }}*"
register: certstore_rpm_fullname
- name: "Install certstore from local path"
yum:
name: "{{ certstore_rpm_fullname.files[0].path }}"
state: present
disable_gpg_check: yes
- name: template certstore configure file
template:
src: "{{ role_path }}/templates/cert_store.ini.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/cert_store.ini.j2
when: runtime_env != 'TSG-X-P0906'
- name: template certstore zlog file
template:
src: "{{ role_path }}/templates/zlog.conf.j2"
dest: /opt/tsg/certstore/conf/zlog.conf
- name: "Create /usr/lib/systemd/system/certstore.service.d directory if it does not exist"
file:
path: "{{ item }}"
state: directory
mode: '0755'
with_items:
- /usr/lib/systemd/system/certstore.service.d
- name: "copy slice file to certstore.service.d"
copy:
src: "{{ role_path }}/templates/service_override_slice.conf.j2"
dest: /usr/lib/systemd/system/certstore.service.d/service_override_slice.conf
mode: 0644
when: runtime_env != 'TSG-X-P0906'
- name: "copy env file to certstore.service.d"
copy:
src: "{{ role_path }}/templates/service_override_env.conf.j2"
dest: /usr/lib/systemd/system/certstore.service.d/service_override_env.conf
mode: 0644
- name: "Create /usr/lib/systemd/system/cert-redis.service.d directory if it does not exist"
file:
path: "{{ item }}"
state: directory
mode: '0755'
with_items:
- /usr/lib/systemd/system/cert-redis.service.d
- name: "copy slice file to cert-redis.service.d"
copy:
src: "{{ role_path }}/templates/service_override_slice.conf.j2"
dest: /usr/lib/systemd/system/cert-redis.service.d/service_override_slice.conf
mode: 0644
when: runtime_env != 'TSG-X-P0906'
- name: "copy cert-redis file to dest"
copy:
src: "{{ role_path }}/files/"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items:
- { src: "cert-redis.conf" , dest: "/etc" , mode: "0644" }
- { src: "cert-redis.service" , dest: "/usr/lib/systemd/system" , mode: "0644" }
- name: "replace action: replace service WantedBy from multi-user.target to workload.target"
replace:
path: "{{ item }}"
regexp: 'WantedBy=multi-user.target'
replace: 'WantedBy=workload.target'
with_items:
- /usr/lib/systemd/system/cert-redis.service
- /usr/lib/systemd/system/certstore.service
when: runtime_env != 'TSG-X-P0906'
- name: "replace action: close redis-server daemonize TSG-X-0906"
replace:
path: "/etc/cert-redis.conf"
regexp: 'daemonize yes'
replace: 'daemonize no'
when: runtime_env == 'TSG-X-P0906'
##################### certstore #####################
- name: "start certstore"
systemd:
name: certstore.service
enabled: yes
##################### cert-redis #####################
- name: "start cert-redis"
systemd:
name: cert-redis.service
enabled: yes

6
ansible/roles/certstore/templates/cert_store.conf.j2
View File

@@ -1,6 +0,0 @@
#Type Path Mode User Group Age Argument
d /var/log/certstore/ 0755 - - 7d -
d /run/certstore/foreign_files 0755 - - - -
d /run/certstore/crashreport 0755 - - 30d -
L /opt/tsg/certstore/logs - - - - /var/log/certstore
L /opt/tsg/certstore/foreign_files - - - - /run/certstore/foreign_files

82
ansible/roles/certstore/templates/cert_store.ini.j2.j2
View File

@@ -1,82 +0,0 @@
[SYSTEM]
#1:print on screen, 0:don't
DEBUG_SWITCH = 1
RUN_LOG_PATH = "conf/zlog.conf"
[breakpad]
{% raw %}{% if coredump.format == 'none' %}
disable_coredump=1
enable_breakpad=0
enable_breakpad_upload=0
{% endif %}
{% if coredump.format == 'core' %}
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
{% endif %}
{% if coredump.format == 'minidump' %}
disable_coredump=1
enable_breakpad=1
{% if coredump.collect == 'sentry' %}
enable_breakpad_upload=1
breakpad_upload_url={{ coredump.sentry_url }}
{% endif %}
{% if coredump.collect == 'local' %}
enable_breakpad_upload=0
{% endif %}
{% endif %}
{% endraw %}
breakpad_minidump_dir="/run/certstore/crashreport"
breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload"
[CONFIG]
#Number of running threads
thread-nu = 4
#1 rsync, 0 sync
mode=1
#Local default root certificate is valid for 30 days by default
expire_after = 30
#Local default root certificate path
local_debug = 1
ca_path = ./cert/tsg-ca-v3-trust-ca.pem
untrusted_ca_path = ./cert/tsg-ca-v3-untrust-ca.pem
[MAAT]
#Configure the load mode,
#0: using the configuration distribution network
#1: using local json
#2: using Redis reads
maat_json_switch=2
#When the loading mode is sent to the network, set the scanning configuration modification interval (s).
effective_interval=1
#Specify the location of the configuration library table file
table_info=./conf/table_info.conf
#Incremental profile path
inc_cfg_dir=./rule/inc/index
#Full profile path
full_cfg_dir=./rule/full/index
#Json file path when json schema is used
pxy_obj_keyring=./conf/pxy_obj_keyring.json
[LIBEVENT]
#Local monitor port number, default is 9991
port = 9991
[CERTSTORE_REDIS]
#The Redis server IP address and port number where the certificate is stored locally
ip = 127.0.0.1
port = 6379
[MAAT_REDIS]
#Maat monitors the Redsi server IP address and port number
ip = {% raw %}{{ cm_policy_server_ip }}
{% endraw %}
port = {% raw %}{{ cm_policy_server_port }}
{% endraw %}
{% raw %}dbindex = {{ vsys_id }}
{% endraw %}
[stat]
statsd_server=127.0.0.1
statsd_port=8100
statsd_set_prometheus_port=9002
statsd_set_prometheus_url_path=/metrics

2
ansible/roles/certstore/templates/service_override_env.conf.j2
View File

@@ -1,2 +0,0 @@
[Service]
Environment=HASPUSER_PREFIX=/etc/haspuser/

2
ansible/roles/certstore/templates/service_override_slice.conf.j2
View File

@@ -1,2 +0,0 @@
[Service]
Slice=workload.slice

11
ansible/roles/certstore/templates/zlog.conf.j2
View File

@@ -1,11 +0,0 @@
[global]
default format = "%d(%c), %V, %F, %U, %m%n"
rotate lock file = /tmp/certstore_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
[rules]
*.fatal "./logs/error.log.%d(%F)";
*.fatal "./logs/certstore.log.%d(%F)"

178
ansible/roles/container-tools-install/tasks/main.yml
View File

@@ -1,178 +0,0 @@
- name: "update all"
yum:
name: '*'
conf_file: "{{ rpm_repo_config_path }}"
state: latest
- name: "hotfix for dnf broken"
shell:
cmd: "dnf upgrade --refresh rpm glibc && rm /var/lib/rpm/.rpm.lock && dnf upgrade dnf"
- name: "install tcpdump"
yum:
name: tcpdump
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install numactl-libs"
yum:
name: numactl-libs
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install iproute"
yum:
name: iproute
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install iptables"
yum:
name: iptables
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install procps"
yum:
name: procps
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install net-tools"
yum:
name: net-tools
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install ethtool"
yum:
name: ethtool
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install gdb"
yum:
name: gdb
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install ipmitool"
yum:
name: ipmitool
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install liburing"
yum:
name: liburing
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install vim"
yum:
name: vim
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install lrzsz"
yum:
name: lrzsz
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install libnsl"
yum:
name: libnsl
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install perf"
yum:
name: perf
conf_file: "{{ rpm_repo_config_path }}"
state: present
releasever: 8.6
- name: "install libnsl"
yum:
name: jq
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install perl"
yum:
name: perl
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install perl-open"
yum:
name: perl-open
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install valgrind"
yum:
name: valgrind
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install python2"
yum:
name: python2
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "Install python module"
shell: pip2 install -i https://pypi.tuna.tsinghua.edu.cn/simple PrettyTable==0.7.2
- name: "install flamegraphs for perf"
yum:
name: js-d3-flame-graph
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install python3"
yum:
name: python3
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install python3 prettytable"
shell: python3 -m pip install prettytable
- name: "install python3 jinja2"
shell: python3 -m pip install jinja2
- name: "install dnsutils"
yum:
name: dnsutils
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install wireshark"
yum:
name: wireshark
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install crudini"
yum:
name: crudini
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install inotify-tools"
yum:
name: inotify-tools
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "install python3 tomlq"
shell: python3 -m pip install tomlq
- name: "install python3 toml"
shell: python3 -m pip install toml
- name: "install python3 sdnotify"
shell: python3 -m pip install sdnotify

55
ansible/roles/firewall/tasks/main.yml
View File

@@ -1,55 +0,0 @@
---
- name: "download rpm packages: firewall"
yum:
name: "{{ item.value }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ firewall_rpm_version }}"
- name: "Install firwall that are sapp plugins"
shell: rpm -i /tmp/rpm_download/{{ item.1 }}* --prefix {{ prefix_path.sapp }}
when:
- item.0 is not search("stellar-c")
- item.0 is not search("firewall")
loop: "{{ firewall_rpm_version | dictsort }}"
- name: "Install firwall and stellar-c rpm plugins"
shell: rpm -i /tmp/rpm_download/{{ item }}* --prefix /opt/tsg/
with_items:
- "{{ firewall_rpm_version['stellar-c'] }}"
- "{{ firewall_rpm_version['firewall'] }}"
- name: "Template the tsgconf/main.conf"
template:
src: "{{ role_path }}/templates/main.conf.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/main.conf.j2
tags: template
when: runtime_env != 'TSG-X-P0906'
- name: "Template the tsgconf/maat.conf"
template:
src: "{{ role_path }}/templates/maat.conf.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/maat.conf.j2
tags: template
when: runtime_env != 'TSG-X-P0906'
- name: "Template the conf/http/http.conf"
template:
src: "{{ role_path }}/templates/http.conf.j2"
dest: /opt/tsg/sapp/conf/http/http.conf
tags: template
- name: "Template the conf/quic/main.conf"
template:
src: "{{ role_path }}/templates/quic/main.conf.j2"
dest: /opt/tsg/sapp/conf/quic/main.conf
tags: template
- name: "Template the /opt/tsg/sapp/plug/business/firewall/firewall.inf"
template:
src: "{{ role_path }}/templates/firewall.inf.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/firewall.inf.j2
tags: template
when: runtime_env != 'TSG-X-P0906'

53
ansible/roles/firewall/templates/firewall.inf.j2.j2
View File

@@ -1,53 +0,0 @@
[PLUGINFO]
PLUGNAME=FIREWALL
SO_PATH=./plug/business/firewall/firewall.so
INIT_FUNC=firewall_init
DESTROY_FUNC=firewall_destory
[SSL]
FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL
FUNC_NAME=firewall_ssl_plug_entry
[MAIL]
FUNC_FLAG=ALL
FUNC_NAME=firewall_mail_plug_entry
[HTTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_http_plug_entry
[QUIC]
FUNC_FLAG=QUIC_CLIENT_HELLO,QUIC_SERVER_HELLO,QUIC_CACHED_CERT,QUIC_COMM_CERT,QUIC_CERT_CHAIN,QUIC_VERSION,QUIC_APPLICATION_DATA
FUNC_NAME=firewall_quic_plug_entry
[FTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_ftp_plug_entry
[RTP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_rtp_plug_entry
[SIP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_sip_plug_entry
[SSH]
FUNC_FLAG=ALL
FUNC_NAME=firewall_ssh_plug_entry
[STRATUM]
FUNC_FLAG=ALL
FUNC_NAME=firewall_stratum_plug_entry
[RDP]
FUNC_FLAG=ALL
FUNC_NAME=firewall_rdp_plug_entry
[DNS]
FUNC_FLAG=ALL
FUNC_NAME=firewall_dns_plug_entry
[DTLS]
FUNC_FLAG=ALL
FUNC_NAME=firewall_dtls_plug_entry

43
ansible/roles/firewall/templates/http.conf.j2
View File

@@ -1,43 +0,0 @@
#http_special
#all regions
1 HTTP_ALL
2 HTTP_OTHER_REGIONS
#http state
3 HTTP_STATE
4 HTTP_REQ_LINE
5 HTTP_RES_LINE
6 HTTP_CONTENT
7 HTTP_UNGZIP_CONTENT
8 HTTP_MESSAGE_URL
9 HTTP_URI
#http_request
10 HTTP_HOST
11 HTTP_REFERER
12 HTTP_USER_AGENT
13 HTTP_COOKIE
14 HTTP_PROXY_AUTHORIZATION
15 HTTP_AUTHORIZATION
#http_response
16 HTTP_LOCATION
17 HTTP_SERVER
18 HTTP_ETAG
#http_general
19 HTTP_DATE
20 HTTP_TRAILER
21 HTTP_TRANSFER_ENCODING
22 HTTP_VIA
23 HTTP_PRAGMA
24 HTTP_CONNECTION
#http_content
25 HTTP_CONT_ENCODING
26 HTTP_CONT_LANGUAGE
27 HTTP_CONT_LOCATION
28 HTTP_CONT_DISPOSITION
29 HTTP_CONT_RANGE
30 HTTP_CONT_LENGTH
31 HTTP_CONT_TYPE
32 HTTP_CHARSET
33 HTTP_EXPIRES
34 HTTP_X_FLASH_VERSION
35 HTTP_TRANSFER_LENGTH
36 Set-Cookie

59
ansible/roles/firewall/templates/maat.conf.j2.j2
View File

@@ -1,59 +0,0 @@
[CM_STATIC_MAAT]
###file, json, redis
MAAT_MODE=redis
STAT_SWITCH=1
PERF_SWITCH=0
HIT_GROUP_SWITCH=1
TABLE_INFO=tsgconf/firewall_cm_maat_tableinfo.json
STAT_FILE=metrics/firewall_cm_maat_stat.json
EFFECT_INTERVAL_MS=1000
GARBAGE_COLLECT_MS=60000
RULE_UPDATE_CHECK_INTERVAL_MS=1000
REDIS_IP={% raw %}{{ cm_policy_server_ip }}
{% endraw %}
REDIS_PORT={% raw %}{{ cm_policy_server_port }}
{% endraw %}
{% raw %}REDIS_INDEX={{ vsys_id }}
{% endraw %}
JSON_CFG_FILE=tsgconf/firewall_cm_maat_rule.json
INC_CFG_DIR=tsgrule/inc/index/
FULL_CFG_DIR=tsgrule/full/index/
EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
LOG_PATH="log/firewall.cm.maat"
[SD_DYNAMIC_MAAT]
MAAT_MODE=redis
STAT_SWITCH=1
PERF_SWITCH=1
TABLE_INFO=tsgconf/firewall_sd_maat_tableinfo.json
STAT_FILE=metrics/firewall_sd_maat_stat.json
EFFECT_INTERVAL_MS=100
GARBAGE_COLLECT_MS=30000
RULE_UPDATE_CHECK_INTERVAL_MS=100
REDIS_IP=127.0.0.1
REDIS_PORT_NUM=1
REDIS_PORT=7002
REDIS_INDEX=1
JSON_CFG_FILE=tsgconf/firewall_sd_maat_rule.json
INC_CFG_DIR=tsgrule/inc/index/
FULL_CFG_DIR=tsgrule/full/index/
EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
LOG_PATH="log/firewall.sd.maat"
[MAAT]
{% raw %}{% set tags_list = [] %}
{% if data_center.name is defined %}
{% set tag_json = "{\"tag\":\"" ~ "data_center" ~ "\",\"value\":\"" ~ data_center.name ~ "\"}" %}
{{tags_list.append(tag_json)}}{% endif %}
{% if device.tags is defined %}
{% for device_tag in device.tags %}
{% for key,value in device_tag.items() %}
{% set tag_json = "{\"tag\":\"" ~ key ~ "\",\"value\":\"" ~ value ~ "\"}" %}
{{tags_list.append(tag_json)}}{% endfor %}
{% endfor %}
{% endif %}
{% if data_center.name is not defined and device.tags is not defined %}
{{ device.tags }}
{% endif %}
ACCEPT_TAGS={"tags":[{{ tags_list | join(",") }}]}
{% endraw %}

118
ansible/roles/firewall/templates/main.conf.j2.j2
View File

@@ -1,118 +0,0 @@
[MAAT]
PROFILE="./tsgconf/maat.conf"
[TSG_LOG]
IPFIX_SCHEMA_PROFILE=./tsgconf/firewall_logger_ipfix_schema.json
LOGGER_SCHEMA_PROFILE=./tsgconf/firewall_logger_transmitter_schema.json
TRAFFIC_VSYSTEM_ID={% raw %}{{ vsys_id }}
{% endraw %}
NIC_NAME="{{ control_and_policy.nic_name }}"
COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf"
{% raw %}
{% if sessionrecord.enable_contains_app_id == 1 %}
SEND_APP_ID_SWITCH=1
{% else %}
SEND_APP_ID_SWITCH=0
{% endif %}
{% if sessionrecord.enable_interim_record == 1 %}
SEND_INTERIM_RECORD=1
{% else %}
SEND_INTERIM_RECORD=0
{% endif %}
{% if sessionrecord.enable_transcation_record == 1 %}
SEND_TRANSACTION_RECORD=1
{% else %}
SEND_TRANSACTION_RECORD=0
{% endif %}
{% endraw %}
[SYSTEM]
NIC_NAME="{{ control_and_policy.nic_name }}"
{% raw %}{% if data_center.id is defined %}
DATACENTER_ID={{ data_center.id }}
{% elif session_id_generator.snowflake_worker_id_base is defined %}
DATACENTER_ID={{ session_id_generator.snowflake_worker_id_base }}
{% else %}
DATACENTER_ID={{ session_id_generator.snowflake_worker_id_base }}
{% endif %}
{% endraw %}
LOG_LEVEL=30
LOG_PATH="firewall.log"
L7_PROTOCOL_FILE="./tsgconf/firewall_l7_protocol.conf"
DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'adc' '{print $2}'"
{% raw %}{% if device.sequence_in_data_center is defined %}
DEVICE_SEQ_IN_DATA_CENTER={{ device.sequence_in_data_center }}
{% elif session_id_generator.snowflake_worker_id_offset is defined %}
DEVICE_SEQ_IN_DATA_CENTER={{ session_id_generator.snowflake_worker_id_offset }}
{% else %}
DEVICE_SEQ_IN_DATA_CENTER={{ session_id_generator.snowflake_worker_id_offset }}
{% endif %}
{% endraw %}
GENERATE_JA3_FINGERPRINT=1
PERIODIC_SCAN_INTERVAL_MS=120000
APPSKETCH_SWITCH=1
[FIREWALL]
# hijack, replace
PACKET_RESPONSE_MODE=replace
HTTP_PAGE200=./tsgconf/HTTP200.html
HTTP_PAGE204=./tsgconf/HTTP204.html
HTTP_PAGE403=./tsgconf/HTTP403.html
HTTP_PAGE404=./tsgconf/HTTP404.html
[FIREWALL_LOCAL_STAT]
STAT_NAME="firewall"
STAT_INTERVAL_TIME_S=5
STAT_OUTPATH="metrics/firewall_local_file_stat.json"
[qdpi_detector]
debug_swtich=30
intput_max_packet=20
qmdpi_engine_config=injection_mode=stream;nb_workers={{ workload_firewall.worker_threads }};nb_flows=8000;basic_dpi_enable=1;classification_cache_enable=0;fm_flow_table_alloc_mode=0
{% if dp_steering_firewall.enable_mirror == 1 %}
[TRAFFIC_MIRROR]
TRAFFIC_MIRROR_ENABLE=1
NIC_NAME="{{ dp_traffic_mirror.nic_name }}"
DEFAULT_VLAN_ID={{ dp_traffic_mirror.traffic_mirror_vlan_id }}
{% endif %}
{% raw %}
[SHAPING]
SWARMKV_CLUSTER_NAME="tsg-shaping-vsys{{ vsys_id }}"
SWARMKV_NODE_IP="0.0.0.0"
SWARMKV_NODE_PORT=8551
SWARMKV_CONSUL_IP="127.0.0.1"
SWARMKV_CONSUL_PORT=8500
SWARMKV_CLUSTER_ANNOUNCE_IP="127.0.0.1"
SWARMKV_CLUSTER_ANNOUNCE_PORT=8551
SWARMKV_HEALTH_CHECK_PORT=8552
SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=8552
TELEGRAF_IP="127.0.0.1"
TELEGRAF_PORT=8200
SESSION_QUEUE_LEN_MAX=128
PRIORITY_QUEUE_LEN_MAX=1024
#POLLING_NODE_NUM_MAX=[ 3, 2, 2, 1, 1, 1, 1, 1, 1, 1 ]
POLLING_NODE_NUM_MAX={"polling_node_num_max":[ 3, 2, 2, 1, 1, 1, 1, 1, 1, 1 ]}
{% endraw %}
[PROTO_IDENTIFY]
MAX_IDENTIFY_PACKETS=10
[SESSION_FLAGS]
#RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[ "frequency", "block_frequency", "cumulative_sums", "runs", "longest_run", "rank", "non_overlapping_template_matching", "overlapping_template_matching", "universal", "random_excursions", "random_excursions_variant", "poker_detect", "runs_distribution", "self_correlation", "binary_derivative" ]}
RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[]}
[SF_CLASSIFIER]
SYNC_MODE=1
[STAT_POLICY_ENFORCER]
POLICY_CYCLE_INTERVAL_S=1
POLICY_CYCLE_NUM_SUBMIT=4

2
ansible/roles/firewall/templates/quic/main.conf.j2
View File

@@ -1,2 +0,0 @@
[QUIC]
QUIC_PORT_LIST=443;8443;4433;

1
ansible/roles/framework/files/framework.conf
View File

@@ -1 +0,0 @@
/opt/tsg/framework/lib/

1
ansible/roles/framework/files/framework.sh
View File

@@ -1 +0,0 @@
export PATH=/opt/tsg/framework/bin:$PATH

66
ansible/roles/framework/tasks/main.yml
View File

@@ -1,66 +0,0 @@
- name: "copy framework rpms to destination server"
copy:
src: "{{ role_path }}/files/"
dest: "/tmp/ansible_deploy/"
- name: "uninstall rsyslog-kafka and librdkafka"
yum:
name: "{{ item }}"
state: absent
with_items:
- rsyslog-kafka
- librdkafka
- name: "download rpm packages: framework"
yum:
name: "{{ item.1 }}"
state: present
conf_file: "{{ rpm_repo_config_path }}"
download_only: yes
download_dir: "{{ path_download }}"
loop: "{{ framework_rpm_version | dictsort }}"
when:
- item.1 is not search("libswarmkv-tools")
- item.1 is not search("libswarmkv")
- name: "download rpm packages: libswarmkv"
yum:
name: "{{ item }}"
state: present
conf_file: "{{ rpm_repo_config_path }}"
download_only: yes
download_dir: "{{ path_download }}"
with_items:
- "{{ framework_rpm_version['18_libswarmkv'] }}"
- "{{ framework_rpm_version['19_libswarmkv-tools'] }}"
when: runtime_env == 'TSG-X-P0906'
- name: "Install frameworks"
shell: rpm -i /tmp/rpm_download/{{ item.1 }}* --prefix {{ prefix_path.framework }}
when:
- item.1 is not search("libswarmkv-tools")
- item.1 is not search("libswarmkv")
loop: "{{ framework_rpm_version | dictsort }}"
- name: "Install libswarmkv-tool"
shell: rpm -i /tmp/rpm_download/{{ item }}* --prefix {{ prefix_path.framework }} --nodeps
with_items:
- "{{ framework_rpm_version['18_libswarmkv'] }}"
- "{{ framework_rpm_version['19_libswarmkv-tools'] }}"
when: runtime_env == 'TSG-X-P0906'
- name: "mkdir /etc/ld.so.conf.d/"
file:
path: /etc/ld.so.conf.d/
state: directory
- name: "copy framework.conf to destination server"
copy:
src: "{{ role_path }}/files/framework.conf"
dest: /etc/ld.so.conf.d/
- name: "copy framework.sh to destination for execute files of framework"
copy:
src: "{{ role_path }}/files/framework.sh"
dest: /etc/profile.d/
mode: 0755

10
ansible/roles/http_healthcheck/tasks/main.yml
View File

@@ -1,10 +0,0 @@
- name: "download rpm packages: http_healthcheck"
yum:
name: "{{ http_healthcheck_rpm_version.http_healthcheck }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Install http_healthcheck that is sapp plugins"
shell: rpm -i /tmp/rpm_download/{{ http_healthcheck_rpm_version.http_healthcheck }}* --prefix {{ prefix_path.sapp }}

BIN
ansible/roles/redis/files/redis-6.2.5-1.el7.remi.x86_64.rpm
View File

Binary file not shown.

BIN
ansible/roles/redis/files/redis_exporter
View File

Binary file not shown.

32
ansible/roles/redis/tasks/main.yml
View File

@@ -1,32 +0,0 @@
- name: "redis rpm install:copy file to device"
copy:
src: '{{ role_path }}/files/'
dest: /tmp/ansible_deploy/
- name: "redis rpm install:install redis"
yum:
name:
- "/tmp/ansible_deploy/redis-6.2.5-1.el7.remi.x86_64.rpm"
state: present
disable_gpg_check: yes
- name: "Create /usr/lib/systemd/system/redis.service.d directory if it does not exist"
file:
path: "{{ item }}"
state: directory
mode: '0755'
with_items:
- /usr/lib/systemd/system/redis.service.d
- name: "copy slice file to redis.service.d"
copy:
src: "{{ role_path }}/templates/service_override_slice.conf.j2"
dest: /usr/lib/systemd/system/redis.service.d/service_override_slice.conf
mode: 0644
when: runtime_env != 'TSG-X-P0906'
- name: "redis exporter"
copy:
src: '{{ role_path }}/files/'
dest: /usr/bin/
mode: 0755

2
ansible/roles/redis/templates/service_override_slice.conf.j2
View File

@@ -1,2 +0,0 @@
[Service]
Slice=workload.slice

2
ansible/roles/sapp/files/service_attach_startpre.conf.except_tera
View File

@@ -1,2 +0,0 @@
[Service]
ExecStartPre=/bin/bash -c "echo 'Sapp pre start'"

2
ansible/roles/sapp/files/service_attach_startpre.conf.tera
View File

@@ -1,2 +0,0 @@
[Service]
ExecStartPre=/bin/bash tera_fake_promisc_setup.sh

4
ansible/roles/sapp/files/tera_fake_promisc_setup.sh
View File

@@ -1,4 +0,0 @@
set -ex
dp_adapter_ether_addr=$(ifconfig eth_rsv | grep ether | awk '{print $2}')
bpf_rule="ether dst $dp_adapter_ether_addr or ether dst 02:42:c0:a8:fd:03 or ether dst 02:42:c0:a8:fd:85 or ether dst 02:42:c0:a8:fd:82"
sed -i "/BSD_packet_filter=/s/=.*/=\"$bpf_rule\"/" etc/sapp.toml

223
ansible/roles/sapp/tasks/main.yml
View File

@@ -1,223 +0,0 @@
---
- name: "download rpm packages: sapp and tcpdump_mesa"
yum:
name: "{{ item.value }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ sapp_rpm_version }}"
- name: "download rpm packages: jemalloc"
yum:
name: "jemalloc"
conf_file: "{{ rpm_repo_config_path }}"
state: present
- name: "Create directory /opt/tsg/framework and /opt/tsg/sapp if they not exist"
file:
path: "{{ item }}"
state: directory
mode: '0644'
with_items:
- /opt/tsg/sapp
- /opt/tsg/framework
- name: "Install sapp rpm package"
shell: rpm -i /tmp/rpm_download/{{ item.value }}* --prefix {{ prefix_path.sapp }}
when: item.key is search("sapp")
with_dict: "{{ sapp_rpm_version }}"
- name: "Install tcpdump_mesa rpm package"
shell: rpm -i /tmp/rpm_download/{{ sapp_rpm_version.tcpdump_mesa }}* --prefix {{ prefix_path.framework }}
- name: replace sapp service
replace:
path: "{{ item }}"
regexp: '/home/mesasoft/sapp_run'
replace: '/opt/tsg/sapp'
with_items:
- /usr/lib/systemd/system/sapp.service
- /etc/sysconfig/sapp
- name: replace Requires to Wants in sapp service file
replace:
path: "{{ item }}"
regexp: 'Requires'
replace: 'Wants'
with_items:
- /usr/lib/systemd/system/sapp.service
- name: "mkdir tsgconf"
file:
path: /opt/tsg/sapp/tsgconf
state: directory
- name: Template the sapp.toml
template:
src: "{{ role_path }}/templates/sapp.toml.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/sapp.toml.j2
tags: template
when: runtime_env != 'TSG-X-P0906'
- name: Template the project_list.conf
template:
src: "{{ role_path }}/templates/project_list.conf.j2"
dest: /opt/tsg/sapp/etc/project_list.conf
tags: template
- name: Template the send_raw_pkt.conf
template:
src: "{{ role_path }}/templates/send_raw_pkt.conf.j2"
dest: /opt/tsg/sapp/etc/send_raw_pkt.conf
tags: template
when: runtime_env != 'TSG-X-P0906'
- name: Template the conflist.inf - tsg_server
template:
src: "{{ role_path }}/templates/conflist.inf.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/conflist.inf.j2
tags: template
when: runtime_env != 'TSG-X-P0906'
- name: Template the entrylist.conf.j2
template:
src: "{{ role_path }}/templates/entrylist.conf.j2"
dest: /opt/tsg/sapp/etc/entrylist.conf
tags: template
- name: Template the asymmetric_addr_layer.conf.j2
template:
src: "{{ role_path }}/templates/asymmetric_addr_layer.conf.j2"
dest: /opt/tsg/sapp/etc/asymmetric_addr_layer.conf
tags: template
- name: Template the necessary_plug_list.conf - 7400-MCN0 and 9140
template:
src: "{{ role_path }}/templates/necessary_plug_list.conf.j2"
dest: /opt/tsg/sapp/etc/necessary_plug_list.conf
tags: template
- name: Template the vlan_flipping_map.conf - tsg-7400
template:
src: "{{ role_path }}/templates/vlan_flipping_map.conf.j2.j2.7400MCN0P01R01"
dest: /opt/tsg/tsg-os-provision/templates/vlan_flipping_map.conf.j2
tags: template
when:
- runtime_env == 'TSG-7400-mcn0'
- name: Template the sapp_log.conf
template:
src: "{{ role_path }}/templates/sapp_log.conf.j2"
dest: /opt/tsg/sapp/etc/sapp_log.conf
tags: template
- name: Template the sapp_tmpfile.conf
template:
src: "{{ role_path }}/templates/sapp_tmpfile.conf.j2"
dest: /usr/lib/tmpfiles.d/sapp_tmpfile.conf
tags: template
- name: Template the gdev.conf
template:
src: "{{ role_path }}/templates/gdev.conf.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/gdev.conf.j2
tags: template
when: runtime_env != 'TSG-X-P0906'
- name: Template the well_known_port.conf
template:
src: "{{ role_path }}/templates/well_known_port.conf.j2"
dest: /opt/tsg/sapp/etc/well_known_port.conf
tags: template
- name: "Create /usr/lib/systemd/system/sapp.service.d/ directory if it does not exist"
file:
path: "{{ item }}"
state: directory
mode: '0755'
with_items:
- /usr/lib/systemd/system/sapp.service.d
- name: "sapp: service override timeoutsec"
template:
src: "{{ role_path }}/templates/service_override_timeoutsec.conf.j2"
dest: /usr/lib/systemd/system/sapp.service.d/service_override_timeoutsec.conf
mode: 0644
- name: "copy slice file to sapp.service.d"
copy:
src: "{{ role_path }}/templates/service_override_slice.conf.j2"
dest: /usr/lib/systemd/system/sapp.service.d/service_override_slice.conf
mode: 0644
when: runtime_env != 'TSG-X-P0906'
- name: "copy env conf to sapp.service.d"
copy:
src: "{{ role_path }}/templates/service_override_env.conf.j2"
dest: /usr/lib/systemd/system/sapp.service.d/service_override_env.conf
mode: 0644
- name: "copy fake promisc tools for tera mode - service file and scripts"
copy:
src: "{{ item.src }}"
dest: /opt/tsg/tsg-os-provision/files/
mode: "{{ item.mode }}"
with_items:
- { src: "{{ role_path }}/files/service_attach_startpre.conf.tera", mode: "0644" }
- { src: "{{ role_path }}/files/service_attach_startpre.conf.except_tera", mode: "0644" }
- { src: "{{ role_path }}/files/tera_fake_promisc_setup.sh", mode: "0755" }
when:
- runtime_env == 'TSG-7400-mcn0'
- name: "replace action: replace service WantedBy from multi-user.target to workload.target"
replace:
path: "{{ item }}"
regexp: 'WantedBy=multi-user.target'
replace: 'WantedBy=workload.target'
with_items:
- /usr/lib/systemd/system/sapp.service
when: runtime_env != 'TSG-X-P0906'
- name: "mkdir -p /opt/tsg/sapp/bin"
file:
path: /opt/tsg/sapp/bin
state: directory
when: runtime_env != 'TSG-X-P0906'
- name: "copy set_shaping_addr.sh file to dest"
template:
src: "{{ role_path }}/templates/set_shaping_addr.sh.j2"
dest: /opt/tsg/sapp/bin/set_shaping_addr.sh
mode: 0755
when: runtime_env != 'TSG-X-P0906'
- name: "copy set_shaping_addr.sh file to dest"
template:
src: "{{ role_path }}/templates/set_shaping_addr.sh.j2"
dest: /opt/tsg/sapp/bin/set_shaping_addr.sh
mode: 0755
when: runtime_env != 'TSG-X-P0906'
- name: "copy startpre file to sapp.service.d"
copy:
src: "{{ role_path }}/templates/service_startpre.conf.j2"
dest: /usr/lib/systemd/system/sapp.service.d/service_startpre.conf
mode: 0644
when: runtime_env != 'TSG-X-P0906'
- name: 'delete r2,r3'
file:
path: "/opt/tsg/sapp/{{ item }}"
state: absent
with_items:
- r2
- r3
##################### sapp #####################
- name: "enable sapp"
systemd:
name: sapp
enabled: yes

9
ansible/roles/sapp/templates/asymmetric_addr_layer.conf.j2
View File

@@ -1,9 +0,0 @@
#layer name definition: ipv4, ipv6, ethernet,vlan, arp, gre, mpls, pppoe, tcp, udp, l2tp, ppp, pptp, gtp
#pattern: asymmetric_layer_name[layer index]
#The symbol "*" represents any layer
ethernet[*]
vlan[*]
vxlan[*]
mpls[*]
gre[*]
gtp[*]

46
ansible/roles/sapp/templates/conflist.inf.j2.j2
View File

@@ -1,46 +0,0 @@
[platform]
./plug/stellar_on_sapp/start_loader.inf
{% if ddossketch.enable == 1 %}
./plug/platform/tsg_ddos_sketch/tsg_ddos_sketch.inf
{% endif %}
{% endraw %}
[protocol]
./plug/protocol/deal_socks/deal_socks.inf
{% raw %}{% if firewall.enable_sip == 1 %}
./plug/protocol/sip/sip.inf
{% endif %}
{% endraw %}
./plug/protocol/rtp/rtp.inf
./plug/protocol/ssl/ssl.inf
./plug/protocol/http/http.inf
./plug/protocol/dns/dns.inf
./plug/protocol/mail/mail.inf
./plug/protocol/ftp/ftp.inf
./plug/protocol/quic/quic.inf
./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
./plug/protocol/ssh/ssh.inf
./plug/protocol/stratum/stratum.inf
./plug/protocol/rdp/rdp.inf
{% raw %}{% if firewall.enable_dtls == 1 %}
./plug/protocol/dtls/dtls.inf
{% endif %}
{% endraw %}
[business]
{% raw %}{% if firewall.enable == 1 %}
./plug/business/firewall/firewall.inf
{% endif %}
{% if proxy.enable == 1 %}
./plug/business/kni/kni.inf
{% endif %}
./plug/business/conn_telemetry/conn_telemetry.inf
{% endraw %}
{% if runtime_env == 'TSG-7400-mcn0' %}
{% raw %}{% if npb_device == 'tera' %}
./plug/business/http_healthcheck/http_healthcheck.inf
{% endif %}
{% endraw %}
{% endif %}
./plug/stellar_on_sapp/defer_loader.inf

24
ansible/roles/sapp/templates/entrylist.conf.j2
View File

@@ -1,24 +0,0 @@
IP
IPV6
IPV6_RAW
TCP_ALL
TCP
UDP
PHONY
POLLING
IPSEC
L2TP
PPTP
DNS
QUIC
HTTP
MAIL
FTP
SSL
RTP
SIP
SSH
SOCKS
STRATUM
RDP
DTLS

6
ansible/roles/sapp/templates/gdev.conf.j2.j2
View File

@@ -1,6 +0,0 @@
[Module]
pcapdevice={{ dp_steering_firewall.nic_internal }}
sendto_gdev_card={{ dp_steering_firewall.nic_internal }}
sendto_gdev_ip={% raw %}{{ gdev_conf_keep_alive_ip }}
{% endraw %}
gdev_status_switch=1

23
ansible/roles/sapp/templates/necessary_plug_list.conf.j2
View File

@@ -1,23 +0,0 @@
#以下插件如果加载,初始化失败, sapp平台会退出;
#插件的路径来自配置文件 ./plug/conflist.inf, 不需要加段落标识[platform],[protocol],[business]等.
#If the following plugins fail to initialize, the sapp platform will exit.
#The name of the plugin comes from the configuration ./plug/conflist.inf, section identification is not required.
./plug/protocol/sip/sip.inf
./plug/protocol/rtp/rtp.inf
./plug/protocol/ssl/ssl.inf
./plug/protocol/ssh/ssh.inf
./plug/protocol/http/http.inf
./plug/protocol/dns/dns.inf
./plug/protocol/mail/mail.inf
./plug/protocol/ftp/ftp.inf
./plug/protocol/quic/quic.inf
./plug/protocol/rdp/rdp.inf
./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
./plug/business/kni/kni.inf
./plug/business/conn_telemetry/conn_telemetry.inf
./plug/business/http_healthcheck/http_healthcheck.inf
./plug/platform/tsg_ddos_sketch/tsg_ddos_sketch.inf 1
./plug/business/firewall/firewall.inf
./plug/stellar_on_sapp/start_loader.inf
./plug/stellar_on_sapp/defer_loader.inf

20
ansible/roles/sapp/templates/project_list.conf.j2
View File

@@ -1,20 +0,0 @@
tcp_flow_stat struct
udp_flow_stat struct
tcp_deduce_flow_stat struct
POLICY_PRIORITY struct
ESTABLISH_LATENCY long
MAIL_IDENTIFY int
TSG_MASTER_INTERNAL_LABEL struct
APP_ID_LABEL struct
BASIC_PROTO_LABEL struct
USER_DEFINED_ATTRIBUTE struct
SKETCH_TRANS_LAYER_CTX_LABEL struct
SKETCH_PROTO_CTX_LABEL struct
common_link_info_c2s struct
common_link_info_s2c struct
common_link_info struct
JA3_FINGERPRINT_LABEL struct
DKPT_PRO_V2 struct
DPKT_PROJECT_V2 struct
PPROJECT_PRO_V2 struct
DPKT_BHSTAT_PROJECT struct

299
ansible/roles/sapp/templates/sapp.toml.j2.j2
View File

@@ -1,299 +0,0 @@
###################################################################################################
# NOTE:
# The format of this file is toml (https://github.com/cktan/tomlc99)
# to make vim editor display colorful and human readable,
# you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini
###################################################################################################
[SYSTEM]
instance_name = "sapp4"
[CPU]
### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
worker_threads={{ workload_firewall.worker_threads }}
send_only_threads_max={{ workload_firewall.send_only_threads_max }}
bind_mask=[{{ workload_firewall.cpu_affinity }}]
[MEM]
dictator_enable=0
[PACKET_IO]
[overlay_tunnel_definition]
### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat,
### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat.
l2_l3_tunnel_support=1
### note, optional value is [none, vxlan]
{% if dp_steering_firewall.encapsulation == 'vlan' or dp_steering_firewall.encapsulation == 'raw' %}
overlay_mode="none"
{% endif %}
{% if dp_steering_firewall.encapsulation == 'vxlan' %}
overlay_mode="vxlan"
{% endif %}
{% if dp_steering_firewall.encapsulation == 'provision' %}
overlay_mode={% raw %}{{ sapp_overlay_mode }}
{% endraw %}
{% endif %}
[packet_io.feature]
destroy_all_plug_enabled = 0
### note, used to represent inbound or outbound direction value,
### because it comes from Third party device, so it needs to be specified manually,
### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
inbound_route_dir=1
### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
BSD_packet_filter=""
### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in"
pcap_capture_direction="in"
### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway]
### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode;
### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket.
### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain.
### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain.
inject_pkt_mode="default"
inject_pkt_prepend_segment_id=0
### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port.
#inject_mode_inline_device_sport=54789
### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway.
#inject_mode_single_gateway_device="eth1"
### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device
#inject_mode_single_gateway_src_mac="00:11:22:77:88:99"
#inject_mode_single_gateway_dst_mac="00:11:22:33:44:55"
#dumpfile_sleep_time_before_exit=3
### note, deployment.mode options: [mirror, inline, transparent]
[packet_io.deployment]
{% if dp_steering_firewall.deployment == 'inline' %}
mode="inline"
{% endif %}
{% if dp_steering_firewall.deployment == 'mirror' %}
mode="mirror"
{% endif %}
{% if dp_steering_firewall.deployment == 'transparent' %}
mode="transparent"
{% endif %}
### note, interface.type options: [pag,pcap,marsio]
[packet_io.internal.interface]
{% if dp_steering_firewall.capture_packet == 'driver' %}
type="marsio"
{% endif %}
{% if dp_steering_firewall.capture_packet == 'pcap' %}
type="pcap"
{% endif %}
name={{ dp_steering_firewall.nic_internal }}
[packet_io.external.interface]
type="pcap"
name=lo
[packet_io.polling]
### note, polling_priority = call sapp_recv_pkt every call polling_entry times,
polling_priority=100
[packet_io.under_ddos]
### note, to reduce impact of ddos attack,set some stream bypass, all plugins will not process these streams
{% raw %}stream_bypass_enabled={{ feature.enable_stream_bypass_under_ddos }}
{% endraw %}
### note, cpu usage value is percent, for example, config value is 85, means 85%, valid range: [1,100]
### sapp change to bypass state immediately when realtime cpu usage > bypass_trigger_cpu_usage
{% raw %}bypass_trigger_cpu_usage={{ advanced_settings.stream_bypass_trigger_cpu_usage }}
{% endraw %}
### note, unit of get_cpu_usage_interval is milliseconds(ms)
get_cpu_usage_interval=500
### note, use the average of the last $smooth_avg_window times as current realtime value
smooth_avg_window=2
decrease_ratio="0.95"
increase_ratio="1.005"
### note, unit of bypass_observe_time is second(s)
recovery_observe_time=30
[PROTOCOL_FEATURE]
ipv6_decapsulation_enabled=1
ipv6_send_packet_enabled=1
tcp_drop_pure_ack_pkt=0
tcp_syn_option_parse_enabled=1
skip_not_ip_layer_over_eth=0
skip_gtp_seq_field_for_inject=1
[DUPLICATE_PKT]
[dup_pkt.traffic.original]
kickout_udp_stream_enabled=0
original_ipv4_tcp_enabled=1
original_ipv4_udp_enabled=0
### note, can't distinguish between duplicate traffic and application retransmit traffic for IPv6 packets,
### so not support IPv6 original duplicate traffic check.
[dup_pkt.traffic.inject]
inject_all_enabled=1
[dup_pkt.parameters]
bloom_capacity=1000000
bloom_error_rate=0.00001
bloom_timeout=10
[STREAM]
### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S"
stream_id_base_time="2021-01-01 00:00:00"
[stream.tcp]
{% raw %}max={{ advanced_settings.stream_tcp_max }}
timeout={{ advanced_settings.stream_tcp_timeout }}
{% endraw %}
syn_mandatory=1
reorder_pkt_max=128
analyse_option_enabled=1
tuple4_reuse_time_interval=30
meaningful_statistics_minimum_pkt=3
meaningful_statistics_minimum_byte=5
[stream.tcp.inject]
link_mss=1460
[stream.tcp.inject.rst]
auto_remedy=0
number=3
signature_enabled=1
signature_seed1=65535
signature_seed2=13
remedy_kill_tcp_by_inline_device=0
[stream.udp]
{% raw %}max={{ advanced_settings.stream_udp_max }}
timeout={{ advanced_settings.stream_udp_timeout }}
{% endraw %}
meaningful_statistics_minimum_pkt=3
meaningful_statistics_minimum_byte=5
[PROFILING]
[profiling.log]
sapp_log_category="sapp_log"
sapp_plugin_log_category="sapp_plugin_log"
#for profiling-related API control, e.g printaddr
[profiling.metric]
[profiling.metric.fs2]
enabled=0
prometheus_port=9273
prometheus_url_path="/metrics"
local_file="log/fs2_sysinfo.metrics"
refresh_interval_s=1
[profiling.metric.fs3]
enabled=0
prometheus_port=9273
prometheus_url_path="/metrics"
local_file="log/fs3_sysinfo.metrics"
refresh_interval_s=1
[profiling.metric.fs4]
enabled=1
local_file="./metrics/fs4_sysinfo.json"
refresh_interval_s=1
app_name="sapp4"
[profiling.process_latency]
log_category="sapp_process_latency_log"
histogram_enabled=0
local_file="fs2_process_latency.metrics"
refresh_interval_s=1
### note, threshold unit is microseconds (us), legal_scope [1,99999999], max value is 99
threshold_us=1000
### define in time.h,use CLOCK_MONOTONIC_COARSE as default
### 0 means CLOCK_REALTIME, 1 means CLOCK_MONOTONIC, 2 means CLOCK_PROCESS_CPUTIME_ID, 3 means CLOCK_THREAD_CPUTIME_ID
### 4 means CLOCK_MONOTONIC_RAW, 5 means CLOCK_REALTIME_COARSE, 6 means CLOCK_MONOTONIC_COARSE
clock_gettime_id=6
[profiling.sanity_check]
raw_pkt_broken_enabled=0
symbol_conflict_enabled=0
[TOOLS]
[tools.pkt_dump]
enabled=1
### note, mode options value:[storage, udp_socket]
mode="udp_socket"
BSD_packet_filter=""
[tools.pkt_dump.threads]
### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted.
### if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index.
all_threads_enabled=1
### note, dump_thread_id start from 0, max is CPU.worker_threads-1
dump_thread_id=[0,1,2,3,4]
[tools.pkt_dump.udp]
command_port=9345
pkt_dump_ratio=30
[tools.pkt_dump.storage]
### note, file path must be double quotation mark extension, for example, path="/dev/shm/pkt_dump"
path="/dev/shm/pkt_dump"
### note, file size unit: MB
file_size_max_per_thread=10000
[BREAKPAD]
{% raw %}{% if coredump.format == 'none' %}
disable_coredump=1
enable_breakpad=0
enable_breakpad_upload=0
{% endif %}
{% if coredump.format == 'core' %}
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
{% endif %}
{% if coredump.format == 'minidump' %}
disable_coredump=1
enable_breakpad=1
{% if coredump.collect == 'sentry' %}
enable_breakpad_upload=1
breakpad_upload_url="{{ coredump.sentry_url }}"
{% endif %}
{% if coredump.collect == 'local' %}
enable_breakpad_upload=0
{% endif %}
{% endif %}
{% endraw %}
breakpad_minidump_dir="/run/sapp/crashreport"
breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload"
### note:
### These configurations format is complex and difficult to describe with toml grammar,
### so, create a independent secondary config file to description specific information.
[SECONDARY_CONFIG_LINK]
cfg_file_sapp_log="etc/sapp_log.conf"
cfg_file_plug_list="plug/conflist.inf"
cfg_file_project_list="etc/project_list.conf"
cfg_file_entrylist="etc/entrylist.conf"
cfg_file_send_raw_pkt="etc/send_raw_pkt.conf"
cfg_file_vxlan_sport_map="etc/vxlan_sport_service_map.conf"
cfg_file_inline_device="etc/gdev.conf"
cfg_file_necessary_plug_list="etc/necessary_plug_list.conf"
cfg_file_stream_compare_layer="etc/stream_compare_layer.conf"
cfg_file_vlan_flipping="etc/vlan_flipping_map.conf"
cfg_file_asymmetric_addr_layer="etc/asymmetric_addr_layer.conf"
cfg_file_well_known_port="etc/well_known_port.conf"
[SECONDARY_DATA_LINK]
data_file_sysinfo_log="log/sysinfo.log"
data_file_field_stat_log="log/fs2_sysinfo.log"
data_file_inline_keepalive_log="log/gdev_keeplive_status.log"
[LIBRARY_LINK]
marsio_library_path="{{ prefix_path.mrzcpd }}/lib/libmarsio.so"

18
ansible/roles/sapp/templates/sapp_log.conf.j2
View File

@@ -1,18 +0,0 @@
[global]
default format = "%d(%c), %V, %U, %m%n"
rotate lock file = /tmp/sapp_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
STOP=40
[formats]
other = "%d(%c), %V, %F, %U, %m%n"
plugin = "%d(%c), %m%n"
[rules]
sapp_log.fatal "./log/runtimelog.%d(%F)"
sapp_plugin_log.fatal >stdout; plugin
sapp_plugin_log.info "./log/plugin.log.%d(%F)"; plugin
sapp_process_latency_log.fatal "./log/sapp_process_latency.log.%d(%F)"
!.fatal "./log/%c.%d(%F)"; other

6
ansible/roles/sapp/templates/sapp_tmpfile.conf.j2
View File

@@ -1,6 +0,0 @@
#Type Path Mode User Group Age Argument
d /var/log/sapp/ 0755 - - 2d -
d /run/sapp/alerts_files/ 0755 - - - -
d /run/sapp/crashreport 0755 - - 30d -
L /opt/tsg/sapp/log - - - - /var/log/sapp
L /opt/tsg/sapp/alerts_files - - - - /run/sapp/alerts_files

9
ansible/roles/sapp/templates/send_raw_pkt.conf.j2
View File

@@ -1,9 +0,0 @@
#(0:pag,1:pcap,2:dumpfile,3:pfring,4:DPDK,5:ppf,6:NPacket,7:qnf,8:N95,9:pcap-dumpfile-list,10:topsec,
##(11:ipfile, 12:marsio4, 13:agent_smith, 14:dpdk_vxlan, 15:marsio_vxlan, 16:pag_marsio
#target_id
0 pag p7p2 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ dp_steering_firewall.nic_internal }} smith dpdk dpdk pag
1 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ dp_steering_firewall.nic_internal }} smith dpdk dpdk pag
#2 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag
#3 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag
#4 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag

3
ansible/roles/sapp/templates/service_override_env.conf.j2
View File

@@ -1,3 +0,0 @@
[Service]
Environment="ZLOG_PROFILE_ERROR=/var/log/zlog.error.log"
Environment=HASPUSER_PREFIX=/etc/haspuser/

2
ansible/roles/sapp/templates/service_override_slice.conf.j2
View File

@@ -1,2 +0,0 @@
[Service]
Slice=workload.slice

2
ansible/roles/sapp/templates/service_override_timeoutsec.conf.j2
View File

@@ -1,2 +0,0 @@
[Service]
TimeoutSec=900s

2
ansible/roles/sapp/templates/service_startpre.conf.j2
View File

@@ -1,2 +0,0 @@
[Service]
ExecStartPre=/opt/tsg/sapp/bin/set_shaping_addr.sh

5
ansible/roles/sapp/templates/set_shaping_addr.sh.j2
View File

@@ -1,5 +0,0 @@
#!/bin/sh -ex
HOST_IP=$(ip a show {{ control_and_policy.nic_name }} | grep inet | grep -v inet6 | awk '{print $2}' | awk -F '/' '{print $1}')
echo "Log and policy nic ipv4 address:$HOST_IP"
sed -i "s/^SWARMKV_CONSUL_IP.*$/SWARMKV_CONSUL_IP=\"$HOST_IP\"/g" /opt/tsg/sapp/tsgconf/main.conf
sed -i "s/^SWARMKV_CLUSTER_ANNOUNCE_IP.*$/SWARMKV_CLUSTER_ANNOUNCE_IP=\"$HOST_IP\"/g" /opt/tsg/sapp/tsgconf/main.conf

19
ansible/roles/sapp/templates/vlan_flipping_map.conf.j2.j2.7400MCN0P01R01
View File

@@ -1,19 +0,0 @@
#for inline a device vlan flipping
#数据包来自C路由器端, 即C2I(I2E)方向,
#数据包来自I路由器端, 即I2C(E2I)方向,
#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计,
#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了.
#配置文件格式, pattern:
#来自C路由器vlan_id 来自I路由器vlan_id 是否开启mac地址翻转
#C_router_vlan_id I_router_vlan_id mac_flipping_enable
{% raw %}{% if npb_device == 'tera' %}
{% for zone_group in tera_steering_group %}
{{ zone_group.internal.vlan_id }} {{ zone_group.external.vlan_id }} 1
{% endfor %}
{% endif %}
{% if npb_device == 'direct' %}
1000 1001 0
2000 2001 0
{% endif %}
{% endraw %}
4000 4001 0

9
ansible/roles/sapp/templates/well_known_port.conf.j2
View File

@@ -1,9 +0,0 @@
# The following ports are considered as server, when creating a new UDP stream or TCP stream without SYN(SYN/ACK) packet.
# You can add other ports according to your needs.
[TCP]
#http
8080
[UDP]
#OICQ
8000

21
ansible/roles/sce/tasks/main.yml
View File

@@ -1,21 +0,0 @@
---
- name: "download rpm packages: sce"
yum:
name:
- "{{ sce_rpm_version.sce }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Get sce rpm path"
find:
path: /tmp/rpm_download/
pattern: "{{ sce_rpm_version.sce }}*"
register: sce_rpm_fullname
- name: "Install sce from local path"
yum:
name: "{{ sce_rpm_fullname.files[0].path }}"
state: present
disable_gpg_check: yes

27
ansible/roles/shaping_engine/tasks/main.yml
View File

@@ -1,27 +0,0 @@
---
- name: "download rpm packages: shaping_engine"
yum:
name:
- "{{ shaping_engine_rpm_version.shaping_engine }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
- name: "Get shaping_engine rpm path"
find:
path: /tmp/rpm_download/
pattern: "{{ shaping_engine_rpm_version.shaping_engine }}*"
register: shaping_engine_rpm_fullname
- name: "Install shaping_engine from local path"
yum:
name: "{{ shaping_engine_rpm_fullname.files[0].path }}"
state: present
disable_gpg_check: yes
- name: "install epel-release"
shell: yum install epel-release -y
- name: "install jemalloc"
shell: yum install jemalloc -y

3
ansible/roles/tfe/files/service_override_Requires.conf
View File

@@ -1,3 +0,0 @@
[Unit]
Requires=mrzcpd.service
After=network-online.target mrzcpd.service

23
ansible/roles/tfe/files/tfe.service
View File

@@ -1,23 +0,0 @@
[Unit]
Description=Tango Frontend Engine
Requires=tfe-env.service
After=tfe-env.service
[Service]
Type=notify
ExecStart=/opt/tsg/tfe/bin/tfe
WorkingDirectory=/opt/tsg/tfe/
TimeoutSec=900s
RestartSec=10s
Restart=always
LimitNOFILE=524288
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
WatchdogSec=10s
[Install]
WantedBy=multi-user.target

36
ansible/roles/tfe/files/tsg_diagnose_ca.pem
View File

@@ -1,36 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIGWzCCBEOgAwIBAgIJAIEUARRZuqOXMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMRgwFgYD
VQQKDA9EaWFnbm9zZSBCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eTAeFw0yMTEyMDIwMzU0NDRaFw0zMTExMzAwMzU0NDRa
MHcxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlq
aW5nMRgwFgYDVQQKDA9EaWFnbm9zZSBCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBS
b290IENlcnRpZmljYXRlIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAOLd76Ea5epn0NNu5yF6gY1YrzqgFY8PoVP/qaaa+otHooKPqC3t
dwA/jhADP3d6UgS/94rsViGsdawx2jlHLv7TcuJeXMcsZjQAkBVfL5wkEhw5Csr4
/UmEeLiJiPyj+Dad+Ne7G4qfTv8802HSSBrv6kGcJSsHAzQ1AnzwBaITNmuR3IBE
0vmxulvXyfpsT413z+Ik2N6xp8rI6cINyqNMA356vgM/x79OunE52kTM5ocx7Wd6
vxUKRpYVPitbhvKvWF45YGkQ0LxnII6PwgnBeA+a0rvdq4XEfEPwyDmQ+H1cdozz
qhPJbTQgX1QL4dgM+erBYKpTjksX65kj89c7DNLdgbS26zDNcyD7oIXmYpwggJOt
J/2zSmN5L79Y8VT0VWlvSv3uTtViTZBPeIsWnT1Ea/sJP6IpjcePLR2MW0GGlcz9
X97ojp+Ws0I5VFdv77kLeel/2iO3rHPe6xMgJ/7zSre7t0vdwaDzQlsC9FUeDHJS
1SBT4sGfUZs82O8IvvxBSp15eTDlhHcYK/pMgvsC8PDrsiFcehMEh2olXlU/Qi/U
E9lL5Hv6/VmtMS0J0Y7buGfo4iSohVPIYB4Akq/jq3vOsWNIEV686eD8U0JCLxjb
bHkV4WrXJvvElxnB1OnhgF7jfxJgecMUi2bl4VZGWNucRwRmFXGsYsw/AgMBAAGj
gekwgeYwHQYDVR0OBBYEFBPYAnh6x+6Ls7Pv7XLsTJaXOrdaMIGpBgNVHSMEgaEw
gZ6AFBPYAnh6x+6Ls7Pv7XLsTJaXOrdaoXukeTB3MQswCQYDVQQGEwJDTjEQMA4G
A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEYMBYGA1UECgwPRGlhZ25v
c2UgQmFkU1NMMSowKAYDVQQDDCFCYWRTU0wgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRo
b3JpdHmCCQCBFAEUWbqjlzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAgEAtdA6Y3GATG9mOwOj3vyBjWCbTeVgRXomhquAOVIdh6Xl
+GUXlX2K/bcRW1GGi51s/RzNGOqTym7XHzzROJ2XhxnQcWHIqUpCb6IAGwsBxRVe
ruC8lUDcjitHm2BrdJsDnIpWA+iJ/ihuYuTaDwfIipao/NqftneWp+A6XjQ4pYsY
MoTRsk1HxvYGSLE4wKQhTH9JESCx7I8ltYAnF3bQLKfqcwuPvWNR3Vth5rl2bxfk
c7mmgpGjjQCsFZDcBnPxKqc12VPbmJEtsgP945SrwYCZkg1kd+py2kgcvccE5Y3g
sAhWCMNKMwc1Wg3tPNAQvzXZZKtRUOFd/5mcjkq0QWZcDdA1r74DhB2e22KitUok
YCdM0o+45EVMZVMe0QWUIgByz1PObM7IP1oEFEJ0afRc0Ra6scYXUBS7Nnk2UNxX
bsQrD0GdrX4pb7Zg1RJEgUU51UGflQpzyJuvQIjXT3pAk9IDKQUXi6lNiM85OGKn
HJYX48KuYlG7I0zIa7Tfz6rkcCxGsXe8jx5+4zVkul9gVxmmDAQv1jYOPvoXIFQc
TtfSekSxzop+DsMySQHQqjFOHtAYBoWjCLX9FNURJ/yPcsYpMrcrTDVzucPK8utK
jcCDir6QMO0z4heHZyV5alant/MYEquBe0ooCCAhh138HndvwVHjekh/le/lf28=
-----END CERTIFICATE-----

146
ansible/roles/tfe/tasks/main.yml
View File

@@ -1,146 +0,0 @@
---
- name: "download rpm packages: tfe"
yum:
name: "{{ item.value }}"
conf_file: "{{ rpm_repo_config_path }}"
state: present
download_only: yes
download_dir: "{{ path_download }}"
with_dict: "{{ tfe_rpm_version }}"
- name: "copy tfe program to destination server"
copy:
src: "{{ role_path }}/files/"
dest: /tmp/ansible_deploy/
- name: "copy tfe.service to destination server"
copy:
src: "{{ role_path }}/files/tfe.service"
dest: /usr/lib/systemd/system/
mode: 0644
- name: "Get tfe rpm final version"
set_fact:
tfe_rpm_final_version: "{{ item.value }}"
when: item.key is search("tfe")
with_dict: "{{ tfe_rpm_version }}"
- name: "Get tfe rpm path"
find:
path: /tmp/rpm_download/
pattern: "{{ tfe_rpm_final_version }}*"
register: tfe_rpm_fullname
- name: "Install tfe from local path"
yum:
name: "{{ tfe_rpm_fullname.files[0].path }}"
state: present
disable_gpg_check: yes
- name: "tfe:copy cert file to device"
copy:
src: '{{ role_path }}/files/tsg_diagnose_ca.pem'
dest: /opt/tsg/tfe/resource/tfe/
- name: "template tfe-env config"
template:
src: "{{ role_path }}/templates/tfe-env-config.j2"
dest: /etc/sysconfig/tfe-env-config
- name: "move tfe sysctl.conf"
shell: mv /etc/sysctl.d/80-tfe.conf /usr/lib/sysctl.d/80-tfe.conf
when: runtime_env != 'TSG-X-P0906'
- name: "template the tfe.conf"
template:
src: "{{ role_path }}/templates/tfe.conf.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/tfe.conf.j2
when: runtime_env != 'TSG-X-P0906'
- name: "template the zlog.conf"
template:
src: "{{ role_path }}/templates/zlog.conf.j2"
dest: /opt/tsg/tfe/conf/tfe/zlog.conf
- name: "template the future.conf"
template:
src: "{{ role_path }}/templates/future.conf.j2"
dest: /opt/tsg/tfe/conf/tfe/future.conf
- name: "create conf/doh/"
file:
path: /opt/tsg/tfe/conf/doh/
state: directory
- name: "template the doh.conf"
template:
src: "{{ role_path }}/templates/doh.conf.j2"
dest: /opt/tsg/tfe/conf/doh/doh.conf
- name: "create a override conf - first step, create dir"
file:
path: /usr/lib/systemd/system/tfe.service.d/
state: directory
mode: '0755'
- name: "create a override conf - second step, copy a override service file"
template:
src: "{{ role_path }}/templates/require-mrzcpd.conf.j2"
dest: /usr/lib/systemd/system/tfe.service.d/require-mrzcpd.conf
- name: "copy slice file to tfe.service.d"
copy:
src: "{{ role_path }}/templates/service_override_slice.conf.j2"
dest: /usr/lib/systemd/system/tfe.service.d/service_override_slice.conf
mode: 0644
when: runtime_env != 'TSG-X-P0906'
- name: "copy env file to tfe.service.d"
copy:
src: "{{ role_path }}/templates/service_override_env.conf.j2"
dest: /usr/lib/systemd/system/tfe.service.d/service_override_env.conf
mode: 0644
- name: "replace action: replace service WantedBy from multi-user.target to workload.target"
replace:
path: "{{ item }}"
regexp: 'WantedBy=multi-user.target'
replace: 'WantedBy=workload.target'
with_items:
- /usr/lib/systemd/system/tfe-env.service
- /usr/lib/systemd/system/tfe.service
when: runtime_env != 'TSG-X-P0906'
- name: "template the service_add_StartPostForRps.conf"
template:
src: "{{ role_path }}/templates/service_add_StartPostForRps.conf.j2.j2"
dest: /opt/tsg/tsg-os-provision/templates/service_add_StartPostForRps.conf.j2
when: runtime_env != 'TSG-X-P0906'
- name: "add condition into service depend provision result TSG-X-P0906"
copy:
src: "{{ role_path }}/files/service_override_Requires.conf"
dest: "/usr/lib/systemd/system/tfe-env.service.d/"
mode: 0644
when: runtime_env == 'TSG-X-P0906'
- name: "template tfe-env shell to dest"
template:
src: "{{ role_path }}/templates/{{ item.src }}"
dest: "/opt/tsg/tfe/{{ item.dest }}"
mode: 0755
when: runtime_env == 'TSG-X-P0906'
with_items:
- {src: "tfe-env-start.sh.j2", dest: "tfe-env-start.sh" }
- {src: "tfe-env-stop.sh.j2", dest: "tfe-env-stop.sh" }
##################### tfe #####################
- name: "enable tfe-env"
systemd:
name: tfe-env
enabled: yes
- name: "enable tfe"
systemd:
name: tfe
enabled: yes

12
ansible/roles/tfe/templates/doh.conf.j2
View File

@@ -1,12 +0,0 @@
[doh]
enable=1
[maat]
table_appid=ATTR_APP_ID
table_qname=ATTR_DOH_QNAME
table_host=ATTR_SERVER_FQDN
[kafka]
ENTRANCE_ID=0
# if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1
en_sendlog=1

15
ansible/roles/tfe/templates/future.conf.j2
View File

@@ -1,15 +0,0 @@
[STAT]
no_stats=0
{% if dp_steering_proxy.location == 'foreign' %}
statsd_server=192.168.100.1
{% endif %}
{% if dp_steering_proxy.location == 'local' %}
statsd_server=127.0.0.1
{% endif %}
statsd_port=8100
histogram_bins=0.50,0.80,0.9,0.95
statsd_cycle=5
# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
statsd_format=2
# printf diff Not available
# print_diff=1

3
ansible/roles/tfe/templates/require-mrzcpd.conf.j2
View File

@@ -1,3 +0,0 @@
[Unit]
Wants=mrzcpd.service
After=tfe-env.service mrzcpd.service

4
ansible/roles/tfe/templates/service_add_StartPostForRps.conf.j2.j2
View File

@@ -1,4 +0,0 @@
[Service]
{% raw %}{% for i in range( tfe_env_rps_info.rps_size ) %}
ExecStartPost=/bin/sh -c "echo {{tfe_env_rps_info.rps_mask}} > /sys/class/net/${TFE_DEVICE_DATA_INCOMING}/queues/rx-{{i}}/rps_cpus"
{% endfor %}{% endraw %}

2
ansible/roles/tfe/templates/service_override_env.conf.j2
View File

@@ -1,2 +0,0 @@
[Service]
Environment=HASPUSER_PREFIX=/etc/haspuser/

2
ansible/roles/tfe/templates/service_override_slice.conf.j2
View File

@@ -1,2 +0,0 @@
[Service]
Slice=workload.slice

5
ansible/roles/tfe/templates/tfe-env-config.j2
View File

@@ -1,5 +0,0 @@
TFE_DEVICE_DATA_INCOMING={{ dp_proxy.nic_name_data_incoming }}
TFE_LOCAL_MAC_DATA_INCOMING=fe:65:b7:03:50:bd
TFE_PEER_MAC_DATA_INCOMING={{ dp_proxy.mac_addr_data_incoming }}
TFE_LOCAL_IP_DATA_INCOMING=172.16.241.2
TFE_PEER_IP_DATA_INCOMING=172.16.241.1

22
ansible/roles/tfe/templates/tfe-env-start.sh.j2
View File

@@ -1,22 +0,0 @@
#!/bin/bash -ex
/usr/sbin/ip link set tap0 address fe:65:b7:03:50:bd
/usr/sbin/ip link set tap0 up
/usr/sbin/ip addr flush dev tap0
/usr/sbin/ip addr add 172.16.241.2/30 dev tap0
/usr/sbin/ip neigh flush dev tap0
/usr/sbin/ip neigh add 172.16.241.1 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent
/usr/sbin/ip6tables -A INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/iptables -A INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/ip rule add iif tap0 tab 100
/usr/sbin/ip route add local default dev lo table 100
/usr/sbin/ip rule add fwmark 0x65 lookup 101
/usr/sbin/ip route add default dev tap0 via 172.16.241.1 table 101
/usr/sbin/ip addr add fd00::02/64 dev tap0
/usr/sbin/ip -6 route add default via fd00::01
/usr/sbin/ip -6 rule add iif tap0 tab 102
/usr/sbin/ip -6 route add local default dev lo table 102
/usr/sbin/ip -6 neigh add fd00::01 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent

12
ansible/roles/tfe/templates/tfe-env-stop.sh.j2
View File

@@ -1,12 +0,0 @@
#!/bin/bash -ex
/usr/sbin/ip6tables -D INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/iptables -D INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
/usr/sbin/ip rule del iif tap0 tab 100
/usr/sbin/ip route del local default dev lo table 100
/usr/sbin/ip rule del fwmark 0x65 lookup 101
/usr/sbin/ip route del default dev tap0 via 172.16.241.1 table 101
/usr/sbin/ip -6 rule del iif tap0 tab 102
/usr/sbin/ip -6 route del default via fd00::01
/usr/sbin/ip -6 route del local default dev lo table 102
/usr/sbin/ip addr del fd00::02/64 dev tap0
/usr/sbin/ip link set tap0 down

269
ansible/roles/tfe/templates/tfe.conf.j2.j2
View File

@@ -1,269 +0,0 @@
[system]
nr_worker_threads={{ workload_proxy.worker_thread }}
enable_kni_v1=0
enable_kni_v2=0
enable_kni_v3=1
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
{% raw %}{% if coredump.format == 'none' %}
disable_coredump=1
enable_breakpad=0
enable_breakpad_upload=0
{% endif %}
{% if coredump.format == 'core' %}
disable_coredump=0
enable_breakpad=0
enable_breakpad_upload=0
{% endif %}
{% if coredump.format == 'minidump' %}
disable_coredump=1
enable_breakpad=1
{% if coredump.collect == 'sentry' %}
enable_breakpad_upload=1
breakpad_upload_url={{ coredump.sentry_url }}
{% endif %}
{% if coredump.collect == 'local' %}
enable_breakpad_upload=0
{% endif %}
{% endif %}
{% endraw %}
# must be /run/tfe/crashreportdue to tmpfile limit
breakpad_minidump_dir=/run/tfe/crashreport
breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload
# ask for at least (1 + nr_worker_threads) masks
# the first mask for acceptor thread
# the others mask for worker thread
enable_cpu_affinity={{ workload_proxy.enable_cpu_affinity }}
cpu_affinity_mask={{ workload_proxy.cpu_affinity }}
# LEAST_CONN = 0; ROUND_ROBIN = 1
load_balance=1
# for enable kni v3
[nfq]
queue_id=1
queue_maxlen=655350
queue_rcvbufsiz=983025000
queue_no_enobufs=1
[kni]
# kni v1
#uxdomain=/var/run/.tfe_kni_acceptor_handler
# kni v2
#scm_socket_file=/var/run/.tfe_kmod_scm_socket
# send cmsg
send_switch=1
{% if dp_steering_proxy.location == 'local' %}
ip=127.0.0.1
{% endif %}
{% if dp_steering_proxy.location == 'foreign'%}
ip=192.168.100.1
{% endif %}
cmsg_port=2475
# watch dog
watchdog_switch=1
watchdog_port=2476
[watchdog_tfe]
# The worker thread updates the timestamp every two seconds
# The watchdog thread checks the timestamp every second
enable=1
timeout_seconds=5
statistics_window=20
timeout_cnt_as_fail=3
timeout_debug=0
[ssl]
ssl_debug=0
ssl_ja3_table=PXY_SSL_FINGERPRINT
# ssl version Not available, configured via TSG website
# ssl_max_version=tls13
# ssl_min_version=ssl3
ssl_compression=1
no_ssl2=1
no_ssl3=0
no_tls10=0
no_tls11=0
no_tls12=0
default_ciphers=ALL:-aNULL
no_cert_verify=0
# session ticket
no_session_ticket=0
stek_group_num=4096
stek_rotation_time=3600
# session cache
no_session_cache=0
session_cache_slots=4194304
session_cache_expire_seconds=1800
# service cache
service_cache_slots=4194304
service_cache_expire_seconds=300
service_cache_fail_as_pinning_cnt=4
service_cache_fail_as_proto_err_cnt=5
#service_cache_succ_as_app_not_pinning_cnt=0
service_cache_fail_time_window=30
# cert
check_cert_crl=0
trusted_cert_load_local=1
trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
trusted_cert_dir=resource/tfe/trusted_storage
# master key
log_master_key=0
key_log_file=log/sslkeylog.log
# mid cert cache
mc_cache_enable=1
[key_keeper]
#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
#0 on cache 1 off cache
no_cache=0
mode=normal
{% if dp_certstore.location == 'local' %}
cert_store_host=127.0.0.1
{% endif %}
{% if dp_certstore.location == 'foreign'%}
cert_store_host=192.168.100.1
{% endif %}
cert_store_port=9991
ca_path=resource/tfe/tango-ca-v3-trust-ca.pem
untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem
hash_slot_size=131072
hash_expire_seconds=300
cert_expire_time=24
# health_check only for "mode=normal" default 1
enable_health_check=1
[tsg_http]
enable_plugin=1
en_sendlog=1
[debug]
# 1 : enforce tcp passthrough
# 0 : Whether to passthrough depends on the tcp_options in cmsg
passthrough_all_tcp=0
[ratelimit]
read_rate=0
read_burst=0
write_rate=0
write_burst=0
[tcp]
# read rcv_buff/snd_buff options from tfe conf
sz_rcv_buffer=-1
sz_snd_buffer=-1
# 1 : use tcp_options in tfe.conf
# 0 : use tcp_options in cmsg
enable_overwrite=0
tcp_nodelay=1
so_keepalive=1
tcp_keepcnt=8
tcp_keepintvl=15
tcp_keepidle=30
tcp_user_timeout=600
tcp_ttl_upstream=75
tcp_ttl_downstream=70
[stat]
{% if dp_steering_proxy.location == 'foreign' %}
statsd_server=192.168.100.1
{% endif %}
{% if dp_steering_proxy.location == 'local' %}
statsd_server=127.0.0.1
{% endif %}
statsd_port=8900
statsd_cycle=5
# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
statsd_format=2
histogram_bins=0.5,0.8,0.9,0.95
statsd_set_prometheus_port=9001
statsd_set_prometheus_url_path=/metrics
[traffic_mirror]
enable={{ dp_proxy.enable_traffic_mirror }}
device={{ dp_traffic_mirror.nic_name }}
# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
type={{ dp_proxy.traffic_mirror_type }}
table_info=resource/pangu/table_info_traffic_mirror.conf
stat_file=log/traffic_mirror.status
default_vlan_id={{ dp_traffic_mirror.traffic_mirror_vlan_id }}
[kafka]
enable=1
NIC_NAME={{ control_and_policy.nic_name }}
{% raw %}kafka_brokerlist={{ olap.kafka_broker.address_list | join(",") }}
{% endraw %}
logger_send_topic=PROXY-EVENT
file_bucket_topic=TRAFFIC-FILE-STREAM-RECORD
mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
sasl_username=admin
sasl_passwd=galaxy2019
device_id_filepath=/opt/tsg/etc/tsg_sn.json
vsystem_id={% raw %}{{ vsys_id }}
{% endraw %}
[maat]
# 0:json 1:redis 2:iris
maat_input_mode=1
stat_switch=1
perf_switch=1
table_info=resource/pangu/table_info.conf
accept_path=/opt/tsg/etc/tsg_device_tag.json
stat_file=log/pangu_scan.fs2
effect_interval_s=1
deferred_load_on=0
# json mode conf iterm
json_cfg_file=resource/pangu/pangu_http.json
# redis mode conf iterm
maat_redis_server={% raw %}{{ cm_policy_server_ip }}
{% endraw %}
maat_redis_port_range={% raw %}{{ cm_policy_server_port }}
{% endraw %}
{% raw %}maat_redis_db_index={{ vsys_id }}
{% endraw %}
# iris mode conf iterm
full_cfg_dir=pangu_policy/full/index/
inc_cfg_dir=pangu_policy/inc/index/
accept_tag_key=data_center
[proxy_hits]
cycle=1000
telegraf_port=8900
{% if dp_steering_proxy.location == 'local' %}
telegraf_ip=127.0.0.1
{% endif %}
{% if dp_steering_proxy.location == 'foreign'%}
telegraf_ip=192.168.100.1
{% endif %}
app_name="proxy_rule_hits"
[traffic_steering]
enable_steering_http=0
enable_steering_ssl=0
# 17: 0x11
so_mask_client=17
# 34: 0x22
so_mask_server=34
device_client=tap_c
device_server=tap_s
http_keepalive_enable=0
http_keepalive_path="/metrics"
http_keepalive_addr=192.168.41.60
http_keepalive_port=9273

24
ansible/roles/tfe/templates/zlog.conf.j2
View File

@@ -1,24 +0,0 @@
# kill -s SIGHUP "pid"
[global]
default format = "%d(%c), %t, %V, %F, %U, %m%n"
rotate lock file = /tmp/tfe_zlog.lock
file perms = 644
[levels]
DEBUG=10
INFO=20
FATAL=30
#DISABLE=40
[rules]
*.fatal "./log/error.log.%d(%F)";
tfe.fatal "./log/tfe.log.%d(%F)";
http.fatal "./log/http.log.%d(%F)";
http2.fatal "./log/http2.log.%d(%F)";
doh.fatal "./log/doh_pxy.log.%d(%F)";
tsg_http.fatal "./log/tsg_http_pxy.log.%d(%F)";
packet_io.fatal "./log/packet_io.log.%d(%F)";

BIN
ansible/roles/tsg-cm/files/tsg-cm-chart-0.1.0.tgz
View File

Binary file not shown.

3
ansible/roles/tsg-cm/tasks/main.yml
View File

@@ -1,3 +0,0 @@
---
- name: "testing tsg-cm role"
shell: echo "testing"