diff --git a/ansible/HAL_deploy.yml b/ansible/HAL_deploy.yml index b324ce3a..88c1f8d8 100644 --- a/ansible/HAL_deploy.yml +++ b/ansible/HAL_deploy.yml @@ -27,72 +27,3 @@ - {role: patches-9000-NPB, tags: patches-9000-NPB} - {role: tsg-os-oobc, tags: tsg-os-oobc} - {role: tsg-os-logfile-cleaner, tags: tsg-os-logfile-cleaner} - -- hosts: x86_64_COTS-firewall - remote_user: root - vars_files: - - install_config/group_vars/HAL_x86_64_COTS.yml - - install_config/group_vars/rpm_version.yml - roles: - - {role: framework, tags: framework} - - {role: sapp, tags: sapp} - - {role: firewall, tags: firewall} - - {role: http_healthcheck, tags: http_healthcheck} - - {role: hasp, tags: hasp} - -- hosts: x86_64_COTS-proxy - remote_user: root - vars_files: - - install_config/group_vars/HAL_x86_64_COTS.yml - - install_config/group_vars/rpm_version.yml - roles: - - {role: framework, tags: framework} - - {role: tfe, tags: tfe} - - {role: hasp, tags: hasp} - -- hosts: x86_64_COTS-certstore - remote_user: root - vars_files: - - install_config/group_vars/HAL_x86_64_COTS.yml - - install_config/group_vars/rpm_version.yml - roles: - - {role: framework, tags: framework} - - {role: redis, tags: redis} - - {role: certstore, tags: certstore} - -- hosts: x86_64_COTS-sce - remote_user: root - vars_files: - - install_config/group_vars/HAL_x86_64_COTS.yml - - install_config/group_vars/rpm_version.yml - roles: - - {role: framework, tags: framework} - - {role: sce, tags: sce} - - {role: hasp, tags: hasp} - -- hosts: x86_64_COTS-bfdd - remote_user: root - vars_files: - - install_config/group_vars/HAL_x86_64_COTS.yml - - install_config/group_vars/rpm_version.yml - roles: - - {role: framework, tags: framework} - - {role: bfdd, tags: bfdd} - -- hosts: x86_64_COTS-shaping - remote_user: root - vars_files: - - install_config/group_vars/HAL_x86_64_COTS.yml - - install_config/group_vars/rpm_version.yml - roles: - - {role: framework, tags: framework} - - {role: shaping_engine, tags: shaping_engine} - - -- hosts: x86_64_COTS-base - remote_user: root - vars_files: - - install_config/group_vars/HAL_x86_64_COTS.yml - - install_config/group_vars/rpm_version.yml - roles: - - {role: container-tools-install, tags: container-tools-install} \ No newline at end of file diff --git a/ansible/roles/bfdd/files/bfdd-1.1.1-release.x86_64.rpm b/ansible/roles/bfdd/files/bfdd-1.1.1-release.x86_64.rpm deleted file mode 100644 index 9f03fa6e..00000000 Binary files a/ansible/roles/bfdd/files/bfdd-1.1.1-release.x86_64.rpm and /dev/null differ diff --git a/ansible/roles/bfdd/files/libyang2-2.0.7-1.el8.x86_64.rpm b/ansible/roles/bfdd/files/libyang2-2.0.7-1.el8.x86_64.rpm deleted file mode 100644 index 1eabeb49..00000000 Binary files a/ansible/roles/bfdd/files/libyang2-2.0.7-1.el8.x86_64.rpm and /dev/null differ diff --git a/ansible/roles/bfdd/tasks/main.yml b/ansible/roles/bfdd/tasks/main.yml deleted file mode 100644 index e0ec0f21..00000000 --- a/ansible/roles/bfdd/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: "install pcre2" - yum: - name: pcre2 - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "temp: copy libyang rpm to dest" - copy: - src: "{{ role_path }}/files/libyang2-2.0.7-1.el8.x86_64.rpm" - dest: /tmp - -- name: "install libyang2" - yum: - name: - - /tmp/libyang2-2.0.7-1.el8.x86_64.rpm - state: present - disable_gpg_check: yes - -- name: "download rpm packages: bfdd" - yum: - name: - - "{{ bfdd_rpm_version.bfdd }}" - conf_file: "{{ rpm_repo_config_path }}" - state: present - download_only: yes - download_dir: "{{ path_download }}" - -- name: "Get bfdd rpm path" - find: - path: /tmp/rpm_download/ - pattern: "{{ bfdd_rpm_version.bfdd }}*" - register: bfdd_rpm_fullname - -- name: "Install bfdd from local path" - yum: - name: "{{ bfdd_rpm_fullname.files[0].path }}" - state: present - disable_gpg_check: yes diff --git a/ansible/roles/certstore/files/cert-redis.conf b/ansible/roles/certstore/files/cert-redis.conf deleted file mode 100644 index 7a7c9471..00000000 --- a/ansible/roles/certstore/files/cert-redis.conf +++ /dev/null @@ -1,1052 +0,0 @@ -# Redis configuration file example. -# -# Note that in order to read the configuration file, Redis must be -# started with the file path as first argument: -# -# ./redis-server /path/to/redis.conf - -# Note on units: when memory size is needed, it is possible to specify -# it in the usual form of 1k 5GB 4M and so forth: -# -# 1k => 1000 bytes -# 1kb => 1024 bytes -# 1m => 1000000 bytes -# 1mb => 1024*1024 bytes -# 1g => 1000000000 bytes -# 1gb => 1024*1024*1024 bytes -# -# units are case insensitive so 1GB 1Gb 1gB are all the same. - -################################## INCLUDES ################################### - -# Include one or more other config files here. This is useful if you -# have a standard template that goes to all Redis servers but also need -# to customize a few per-server settings. Include files can include -# other files, so use this wisely. -# -# Notice option "include" won't be rewritten by command "CONFIG REWRITE" -# from admin or Redis Sentinel. Since Redis always uses the last processed -# line as value of a configuration directive, you'd better put includes -# at the beginning of this file to avoid overwriting config change at runtime. -# -# If instead you are interested in using includes to override configuration -# options, it is better to use include as the last line. -# -# include /path/to/local.conf -# include /path/to/other.conf - -################################## NETWORK ##################################### - -# By default, if no "bind" configuration directive is specified, Redis listens -# for connections from all the network interfaces available on the server. -# It is possible to listen to just one or multiple selected interfaces using -# the "bind" configuration directive, followed by one or more IP addresses. -# -# Examples: -# -# bind 192.168.1.100 10.0.0.1 -# bind $ip ::1 -# -# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the -# internet, binding to all the interfaces is dangerous and will expose the -# instance to everybody on the internet. So by default we uncomment the -# following bind directive, that will force Redis to listen only into -# the IPv4 lookback interface address (this means Redis will be able to -# accept connections only from clients running into the same computer it -# is running). -# -# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES -# JUST COMMENT THE FOLLOWING LINE. -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -bind 0.0.0.0 - -# Protected mode is a layer of security protection, in order to avoid that -# Redis instances left open on the internet are accessed and exploited. -# -# When protected mode is on and if: -# -# 1) The server is not binding explicitly to a set of addresses using the -# "bind" directive. -# 2) No password is configured. -# -# The server only accepts connections from clients connecting from the -# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain -# sockets. -# -# By default protected mode is enabled. You should disable it only if -# you are sure you want clients from other hosts to connect to Redis -# even if no authentication is configured, nor a specific set of interfaces -# are explicitly listed using the "bind" directive. -protected-mode yes - -# Accept connections on the specified port, default is 6379 (IANA #815344). -# If port 0 is specified Redis will not listen on a TCP socket. -port 6379 - -# TCP listen() backlog. -# -# In high requests-per-second environments you need an high backlog in order -# to avoid slow clients connections issues. Note that the Linux kernel -# will silently truncate it to the value of /proc/sys/net/core/somaxconn so -# make sure to raise both the value of somaxconn and tcp_max_syn_backlog -# in order to get the desired effect. -tcp-backlog 511 - -# Unix socket. -# -# Specify the path for the Unix socket that will be used to listen for -# incoming connections. There is no default, so Redis will not listen -# on a unix socket when not specified. -# -# unixsocket /tmp/redis.sock -# unixsocketperm 700 - -# Close the connection after a client is idle for N seconds (0 to disable) -timeout 0 - -# TCP keepalive. -# -# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence -# of communication. This is useful for two reasons: -# -# 1) Detect dead peers. -# 2) Take the connection alive from the point of view of network -# equipment in the middle. -# -# On Linux, the specified value (in seconds) is the period used to send ACKs. -# Note that to close the connection the double of the time is needed. -# On other kernels the period depends on the kernel configuration. -# -# A reasonable value for this option is 300 seconds, which is the new -# Redis default starting with Redis 3.2.1. -tcp-keepalive 300 - -################################# GENERAL ##################################### - -# By default Redis does not run as a daemon. Use 'yes' if you need it. -# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. -daemonize yes - -# If you run Redis from upstart or systemd, Redis can interact with your -# supervision tree. Options: -# supervised no - no supervision interaction -# supervised upstart - signal upstart by putting Redis into SIGSTOP mode -# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET -# supervised auto - detect upstart or systemd method based on -# UPSTART_JOB or NOTIFY_SOCKET environment variables -# Note: these supervision methods only signal "process is ready." -# They do not enable continuous liveness pings back to your supervisor. -supervised no - -# If a pid file is specified, Redis writes it where specified at startup -# and removes it at exit. -# -# When the server runs non daemonized, no pid file is created if none is -# specified in the configuration. When the server is daemonized, the pid file -# is used even if not specified, defaulting to "/var/run/redis.pid". -# -# Creating a pid file is best effort: if Redis is not able to create it -# nothing bad happens, the server will start and run normally. -pidfile /var/run/redis_6379.pid - -# Specify the server verbosity level. -# This can be one of: -# debug (a lot of information, useful for development/testing) -# verbose (many rarely useful info, but not a mess like the debug level) -# notice (moderately verbose, what you want in production probably) -# warning (only very important / critical messages are logged) -loglevel notice - -# Specify the log file name. Also the empty string can be used to force -# Redis to log on the standard output. Note that if you use standard -# output for logging but daemonize, logs will be sent to /dev/null -#logfile "/opt/tsg/cert-redis/6379/6379.log" - -# To enable logging to the system logger, just set 'syslog-enabled' to yes, -# and optionally update the other syslog parameters to suit your needs. -# syslog-enabled no - -# Specify the syslog identity. -# syslog-ident redis - -# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. -# syslog-facility local0 - -# Set the number of databases. The default database is DB 0, you can select -# a different one on a per-connection basis using SELECT where -# dbid is a number between 0 and 'databases'-1 -databases 16 - -################################ SNAPSHOTTING ################################ -# -# Save the DB on disk: -# -# save -# -# Will save the DB if both the given number of seconds and the given -# number of write operations against the DB occurred. -# -# In the example below the behaviour will be to save: -# after 900 sec (15 min) if at least 1 key changed -# after 300 sec (5 min) if at least 10 keys changed -# after 60 sec if at least 10000 keys changed -# -# Note: you can disable saving completely by commenting out all "save" lines. -# -# It is also possible to remove all the previously configured save -# points by adding a save directive with a single empty string argument -# like in the following example: -# -# save "" - -save 900 1 -save 300 10 -save 60 10000 - -# By default Redis will stop accepting writes if RDB snapshots are enabled -# (at least one save point) and the latest background save failed. -# This will make the user aware (in a hard way) that data is not persisting -# on disk properly, otherwise chances are that no one will notice and some -# disaster will happen. -# -# If the background saving process will start working again Redis will -# automatically allow writes again. -# -# However if you have setup your proper monitoring of the Redis server -# and persistence, you may want to disable this feature so that Redis will -# continue to work as usual even if there are problems with disk, -# permissions, and so forth. -stop-writes-on-bgsave-error yes - -# Compress string objects using LZF when dump .rdb databases? -# For default that's set to 'yes' as it's almost always a win. -# If you want to save some CPU in the saving child set it to 'no' but -# the dataset will likely be bigger if you have compressible values or keys. -rdbcompression yes - -# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. -# This makes the format more resistant to corruption but there is a performance -# hit to pay (around 10%) when saving and loading RDB files, so you can disable it -# for maximum performances. -# -# RDB files created with checksum disabled have a checksum of zero that will -# tell the loading code to skip the check. -rdbchecksum yes - -# The filename where to dump the DB -dbfilename dump.rdb - -# The working directory. -# -# The DB will be written inside this directory, with the filename specified -# above using the 'dbfilename' configuration directive. -# -# The Append Only File will also be created inside this directory. -# -# Note that you must specify a directory here, not a file name. -#dir /opt/tsg/cert-redis/6379/ - -################################# REPLICATION ################################# - -# Master-Slave replication. Use slaveof to make a Redis instance a copy of -# another Redis server. A few things to understand ASAP about Redis replication. -# -# 1) Redis replication is asynchronous, but you can configure a master to -# stop accepting writes if it appears to be not connected with at least -# a given number of slaves. -# 2) Redis slaves are able to perform a partial resynchronization with the -# master if the replication link is lost for a relatively small amount of -# time. You may want to configure the replication backlog size (see the next -# sections of this file) with a sensible value depending on your needs. -# 3) Replication is automatic and does not need user intervention. After a -# network partition slaves automatically try to reconnect to masters -# and resynchronize with them. -# -# slaveof - -# If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the slave to authenticate before -# starting the replication synchronization process, otherwise the master will -# refuse the slave request. -# -# masterauth - -# When a slave loses its connection with the master, or when the replication -# is still in progress, the slave can act in two different ways: -# -# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will -# still reply to client requests, possibly with out of date data, or the -# data set may just be empty if this is the first synchronization. -# -# 2) if slave-serve-stale-data is set to 'no' the slave will reply with -# an error "SYNC with master in progress" to all the kind of commands -# but to INFO and SLAVEOF. -# -slave-serve-stale-data yes - -# You can configure a slave instance to accept writes or not. Writing against -# a slave instance may be useful to store some ephemeral data (because data -# written on a slave will be easily deleted after resync with the master) but -# may also cause problems if clients are writing to it because of a -# misconfiguration. -# -# Since Redis 2.6 by default slaves are read-only. -# -# Note: read only slaves are not designed to be exposed to untrusted clients -# on the internet. It's just a protection layer against misuse of the instance. -# Still a read only slave exports by default all the administrative commands -# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve -# security of read only slaves using 'rename-command' to shadow all the -# administrative / dangerous commands. -slave-read-only yes - -# Replication SYNC strategy: disk or socket. -# -# ------------------------------------------------------- -# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY -# ------------------------------------------------------- -# -# New slaves and reconnecting slaves that are not able to continue the replication -# process just receiving differences, need to do what is called a "full -# synchronization". An RDB file is transmitted from the master to the slaves. -# The transmission can happen in two different ways: -# -# 1) Disk-backed: The Redis master creates a new process that writes the RDB -# file on disk. Later the file is transferred by the parent -# process to the slaves incrementally. -# 2) Diskless: The Redis master creates a new process that directly writes the -# RDB file to slave sockets, without touching the disk at all. -# -# With disk-backed replication, while the RDB file is generated, more slaves -# can be queued and served with the RDB file as soon as the current child producing -# the RDB file finishes its work. With diskless replication instead once -# the transfer starts, new slaves arriving will be queued and a new transfer -# will start when the current one terminates. -# -# When diskless replication is used, the master waits a configurable amount of -# time (in seconds) before starting the transfer in the hope that multiple slaves -# will arrive and the transfer can be parallelized. -# -# With slow disks and fast (large bandwidth) networks, diskless replication -# works better. -repl-diskless-sync no - -# When diskless replication is enabled, it is possible to configure the delay -# the server waits in order to spawn the child that transfers the RDB via socket -# to the slaves. -# -# This is important since once the transfer starts, it is not possible to serve -# new slaves arriving, that will be queued for the next RDB transfer, so the server -# waits a delay in order to let more slaves arrive. -# -# The delay is specified in seconds, and by default is 5 seconds. To disable -# it entirely just set it to 0 seconds and the transfer will start ASAP. -repl-diskless-sync-delay 5 - -# Slaves send PINGs to server in a predefined interval. It's possible to change -# this interval with the repl_ping_slave_period option. The default value is 10 -# seconds. -# -# repl-ping-slave-period 10 - -# The following option sets the replication timeout for: -# -# 1) Bulk transfer I/O during SYNC, from the point of view of slave. -# 2) Master timeout from the point of view of slaves (data, pings). -# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). -# -# It is important to make sure that this value is greater than the value -# specified for repl-ping-slave-period otherwise a timeout will be detected -# every time there is low traffic between the master and the slave. -# -# repl-timeout 60 - -# Disable TCP_NODELAY on the slave socket after SYNC? -# -# If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to slaves. But this can add a delay for -# the data to appear on the slave side, up to 40 milliseconds with -# Linux kernels using a default configuration. -# -# If you select "no" the delay for data to appear on the slave side will -# be reduced but more bandwidth will be used for replication. -# -# By default we optimize for low latency, but in very high traffic conditions -# or when the master and slaves are many hops away, turning this to "yes" may -# be a good idea. -repl-disable-tcp-nodelay no - -# Set the replication backlog size. The backlog is a buffer that accumulates -# slave data when slaves are disconnected for some time, so that when a slave -# wants to reconnect again, often a full resync is not needed, but a partial -# resync is enough, just passing the portion of data the slave missed while -# disconnected. -# -# The bigger the replication backlog, the longer the time the slave can be -# disconnected and later be able to perform a partial resynchronization. -# -# The backlog is only allocated once there is at least a slave connected. -# -# repl-backlog-size 1mb - -# After a master has no longer connected slaves for some time, the backlog -# will be freed. The following option configures the amount of seconds that -# need to elapse, starting from the time the last slave disconnected, for -# the backlog buffer to be freed. -# -# A value of 0 means to never release the backlog. -# -# repl-backlog-ttl 3600 - -# The slave priority is an integer number published by Redis in the INFO output. -# It is used by Redis Sentinel in order to select a slave to promote into a -# master if the master is no longer working correctly. -# -# A slave with a low priority number is considered better for promotion, so -# for instance if there are three slaves with priority 10, 100, 25 Sentinel will -# pick the one with priority 10, that is the lowest. -# -# However a special priority of 0 marks the slave as not able to perform the -# role of master, so a slave with priority of 0 will never be selected by -# Redis Sentinel for promotion. -# -# By default the priority is 100. -slave-priority 100 - -# It is possible for a master to stop accepting writes if there are less than -# N slaves connected, having a lag less or equal than M seconds. -# -# The N slaves need to be in "online" state. -# -# The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the slave, that is usually sent every second. -# -# This option does not GUARANTEE that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough slaves -# are available, to the specified number of seconds. -# -# For example to require at least 3 slaves with a lag <= 10 seconds use: -# -# min-slaves-to-write 3 -# min-slaves-max-lag 10 -# -# Setting one or the other to 0 disables the feature. -# -# By default min-slaves-to-write is set to 0 (feature disabled) and -# min-slaves-max-lag is set to 10. - -# A Redis master is able to list the address and port of the attached -# slaves in different ways. For example the "INFO replication" section -# offers this information, which is used, among other tools, by -# Redis Sentinel in order to discover slave instances. -# Another place where this info is available is in the output of the -# "ROLE" command of a masteer. -# -# The listed IP and address normally reported by a slave is obtained -# in the following way: -# -# IP: The address is auto detected by checking the peer address -# of the socket used by the slave to connect with the master. -# -# Port: The port is communicated by the slave during the replication -# handshake, and is normally the port that the slave is using to -# list for connections. -# -# However when port forwarding or Network Address Translation (NAT) is -# used, the slave may be actually reachable via different IP and port -# pairs. The following two options can be used by a slave in order to -# report to its master a specific set of IP and port, so that both INFO -# and ROLE will report those values. -# -# There is no need to use both the options if you need to override just -# the port or the IP address. -# -# slave-announce-ip 5.5.5.5 -# slave-announce-port 1234 - -################################## SECURITY ################################### - -# Require clients to issue AUTH before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. -# -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). -# -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. -# -# requirepass foobared - -# Command renaming. -# -# It is possible to change the name of dangerous commands in a shared -# environment. For instance the CONFIG command may be renamed into something -# hard to guess so that it will still be available for internal-use tools -# but not available for general clients. -# -# Example: -# -# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 -# -# It is also possible to completely kill a command by renaming it into -# an empty string: -# -# rename-command CONFIG "" -# -# Please note that changing the name of commands that are logged into the -# AOF file or transmitted to slaves may cause problems. - -################################### LIMITS #################################### - -# Set the max number of connected clients at the same time. By default -# this limit is set to 10000 clients, however if the Redis server is not -# able to configure the process file limit to allow for the specified limit -# the max number of allowed clients is set to the current file limit -# minus 32 (as Redis reserves a few file descriptors for internal uses). -# -# Once the limit is reached Redis will close all the new connections sending -# an error 'max number of clients reached'. -# -# maxclients 10000 - -# Don't use more memory than the specified amount of bytes. -# When the memory limit is reached Redis will try to remove keys -# according to the eviction policy selected (see maxmemory-policy). -# -# If Redis can't remove keys according to the policy, or if the policy is -# set to 'noeviction', Redis will start to reply with errors to commands -# that would use more memory, like SET, LPUSH, and so on, and will continue -# to reply to read-only commands like GET. -# -# This option is usually useful when using Redis as an LRU cache, or to set -# a hard memory limit for an instance (using the 'noeviction' policy). -# -# WARNING: If you have slaves attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the slaves are subtracted -# from the used memory count, so that network problems / resyncs will -# not trigger a loop where keys are evicted, and in turn the output -# buffer of slaves is full with DELs of keys evicted triggering the deletion -# of more keys, and so forth until the database is completely emptied. -# -# In short... if you have slaves attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for slave -# output buffers (but this is not needed if the policy is 'noeviction'). -# -# maxmemory - -# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select among five behaviors: -# -# volatile-lru -> remove the key with an expire set using an LRU algorithm -# allkeys-lru -> remove any key according to the LRU algorithm -# volatile-random -> remove a random key with an expire set -# allkeys-random -> remove a random key, any key -# volatile-ttl -> remove the key with the nearest expire time (minor TTL) -# noeviction -> don't expire at all, just return an error on write operations -# -# Note: with any of the above policies, Redis will return an error on write -# operations, when there are no suitable keys for eviction. -# -# At the date of writing these commands are: set setnx setex append -# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd -# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby -# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby -# getset mset msetnx exec sort -# -# The default is: -# -# maxmemory-policy noeviction - -# LRU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can tune it for speed or -# accuracy. For default Redis will check five keys and pick the one that was -# used less recently, you can change the sample size using the following -# configuration directive. -# -# The default of 5 produces good enough results. 10 Approximates very closely -# true LRU but costs a bit more CPU. 3 is very fast but not very accurate. -# -# maxmemory-samples 5 - -############################## APPEND ONLY MODE ############################### - -# By default Redis asynchronously dumps the dataset on disk. This mode is -# good enough in many applications, but an issue with the Redis process or -# a power outage may result into a few minutes of writes lost (depending on -# the configured save points). -# -# The Append Only File is an alternative persistence mode that provides -# much better durability. For instance using the default data fsync policy -# (see later in the config file) Redis can lose just one second of writes in a -# dramatic event like a server power outage, or a single write if something -# wrong with the Redis process itself happens, but the operating system is -# still running correctly. -# -# AOF and RDB persistence can be enabled at the same time without problems. -# If the AOF is enabled on startup Redis will load the AOF, that is the file -# with the better durability guarantees. -# -# Please check http://redis.io/topics/persistence for more information. - -appendonly no - -# The name of the append only file (default: "appendonly.aof") - -appendfilename "appendonly.aof" - -# The fsync() call tells the Operating System to actually write data on disk -# instead of waiting for more data in the output buffer. Some OS will really flush -# data on disk, some other OS will just try to do it ASAP. -# -# Redis supports three different modes: -# -# no: don't fsync, just let the OS flush the data when it wants. Faster. -# always: fsync after every write to the append only log. Slow, Safest. -# everysec: fsync only one time every second. Compromise. -# -# The default is "everysec", as that's usually the right compromise between -# speed and data safety. It's up to you to understand if you can relax this to -# "no" that will let the operating system flush the output buffer when -# it wants, for better performances (but if you can live with the idea of -# some data loss consider the default persistence mode that's snapshotting), -# or on the contrary, use "always" that's very slow but a bit safer than -# everysec. -# -# More details please check the following article: -# http://antirez.com/post/redis-persistence-demystified.html -# -# If unsure, use "everysec". - -# appendfsync always -appendfsync everysec -# appendfsync no - -# When the AOF fsync policy is set to always or everysec, and a background -# saving process (a background save or AOF log background rewriting) is -# performing a lot of I/O against the disk, in some Linux configurations -# Redis may block too long on the fsync() call. Note that there is no fix for -# this currently, as even performing fsync in a different thread will block -# our synchronous write(2) call. -# -# In order to mitigate this problem it's possible to use the following option -# that will prevent fsync() from being called in the main process while a -# BGSAVE or BGREWRITEAOF is in progress. -# -# This means that while another child is saving, the durability of Redis is -# the same as "appendfsync none". In practical terms, this means that it is -# possible to lose up to 30 seconds of log in the worst scenario (with the -# default Linux settings). -# -# If you have latency problems turn this to "yes". Otherwise leave it as -# "no" that is the safest pick from the point of view of durability. - -no-appendfsync-on-rewrite no - -# Automatic rewrite of the append only file. -# Redis is able to automatically rewrite the log file implicitly calling -# BGREWRITEAOF when the AOF log size grows by the specified percentage. -# -# This is how it works: Redis remembers the size of the AOF file after the -# latest rewrite (if no rewrite has happened since the restart, the size of -# the AOF at startup is used). -# -# This base size is compared to the current size. If the current size is -# bigger than the specified percentage, the rewrite is triggered. Also -# you need to specify a minimal size for the AOF file to be rewritten, this -# is useful to avoid rewriting the AOF file even if the percentage increase -# is reached but it is still pretty small. -# -# Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - -auto-aof-rewrite-percentage 100 -auto-aof-rewrite-min-size 64mb - -# An AOF file may be found to be truncated at the end during the Redis -# startup process, when the AOF data gets loaded back into memory. -# This may happen when the system where Redis is running -# crashes, especially when an ext4 filesystem is mounted without the -# data=ordered option (however this can't happen when Redis itself -# crashes or aborts but the operating system still works correctly). -# -# Redis can either exit with an error when this happens, or load as much -# data as possible (the default now) and start if the AOF file is found -# to be truncated at the end. The following option controls this behavior. -# -# If aof-load-truncated is set to yes, a truncated AOF file is loaded and -# the Redis server starts emitting a log to inform the user of the event. -# Otherwise if the option is set to no, the server aborts with an error -# and refuses to start. When the option is set to no, the user requires -# to fix the AOF file using the "redis-check-aof" utility before to restart -# the server. -# -# Note that if the AOF file will be found to be corrupted in the middle -# the server will still exit with an error. This option only applies when -# Redis will try to read more data from the AOF file but not enough bytes -# will be found. -aof-load-truncated yes - -################################ LUA SCRIPTING ############################### - -# Max execution time of a Lua script in milliseconds. -# -# If the maximum execution time is reached Redis will log that a script is -# still in execution after the maximum allowed time and will start to -# reply to queries with an error. -# -# When a long running script exceeds the maximum execution time only the -# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be -# used to stop a script that did not yet called write commands. The second -# is the only way to shut down the server in the case a write command was -# already issued by the script but the user doesn't want to wait for the natural -# termination of the script. -# -# Set it to 0 or a negative value for unlimited execution without warnings. -lua-time-limit 5000 - -################################ REDIS CLUSTER ############################### -# -# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however -# in order to mark it as "mature" we need to wait for a non trivial percentage -# of users to deploy it in production. -# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -# -# Normal Redis instances can't be part of a Redis Cluster; only nodes that are -# started as cluster nodes can. In order to start a Redis instance as a -# cluster node enable the cluster support uncommenting the following: -# -# cluster-enabled yes - -# Every cluster node has a cluster configuration file. This file is not -# intended to be edited by hand. It is created and updated by Redis nodes. -# Every Redis Cluster node requires a different cluster configuration file. -# Make sure that instances running in the same system do not have -# overlapping cluster configuration file names. -# -# cluster-config-file nodes-6379.conf - -# Cluster node timeout is the amount of milliseconds a node must be unreachable -# for it to be considered in failure state. -# Most other internal time limits are multiple of the node timeout. -# -# cluster-node-timeout 15000 - -# A slave of a failing master will avoid to start a failover if its data -# looks too old. -# -# There is no simple way for a slave to actually have a exact measure of -# its "data age", so the following two checks are performed: -# -# 1) If there are multiple slaves able to failover, they exchange messages -# in order to try to give an advantage to the slave with the best -# replication offset (more data from the master processed). -# Slaves will try to get their rank by offset, and apply to the start -# of the failover a delay proportional to their rank. -# -# 2) Every single slave computes the time of the last interaction with -# its master. This can be the last ping or command received (if the master -# is still in the "connected" state), or the time that elapsed since the -# disconnection with the master (if the replication link is currently down). -# If the last interaction is too old, the slave will not try to failover -# at all. -# -# The point "2" can be tuned by user. Specifically a slave will not perform -# the failover if, since the last interaction with the master, the time -# elapsed is greater than: -# -# (node-timeout * slave-validity-factor) + repl-ping-slave-period -# -# So for example if node-timeout is 30 seconds, and the slave-validity-factor -# is 10, and assuming a default repl-ping-slave-period of 10 seconds, the -# slave will not try to failover if it was not able to talk with the master -# for longer than 310 seconds. -# -# A large slave-validity-factor may allow slaves with too old data to failover -# a master, while a too small value may prevent the cluster from being able to -# elect a slave at all. -# -# For maximum availability, it is possible to set the slave-validity-factor -# to a value of 0, which means, that slaves will always try to failover the -# master regardless of the last time they interacted with the master. -# (However they'll always try to apply a delay proportional to their -# offset rank). -# -# Zero is the only value able to guarantee that when all the partitions heal -# the cluster will always be able to continue. -# -# cluster-slave-validity-factor 10 - -# Cluster slaves are able to migrate to orphaned masters, that are masters -# that are left without working slaves. This improves the cluster ability -# to resist to failures as otherwise an orphaned master can't be failed over -# in case of failure if it has no working slaves. -# -# Slaves migrate to orphaned masters only if there are still at least a -# given number of other working slaves for their old master. This number -# is the "migration barrier". A migration barrier of 1 means that a slave -# will migrate only if there is at least 1 other working slave for its master -# and so forth. It usually reflects the number of slaves you want for every -# master in your cluster. -# -# Default is 1 (slaves migrate only if their masters remain with at least -# one slave). To disable migration just set it to a very large value. -# A value of 0 can be set but is useful only for debugging and dangerous -# in production. -# -# cluster-migration-barrier 1 - -# By default Redis Cluster nodes stop accepting queries if they detect there -# is at least an hash slot uncovered (no available node is serving it). -# This way if the cluster is partially down (for example a range of hash slots -# are no longer covered) all the cluster becomes, eventually, unavailable. -# It automatically returns available as soon as all the slots are covered again. -# -# However sometimes you want the subset of the cluster which is working, -# to continue to accept queries for the part of the key space that is still -# covered. In order to do so, just set the cluster-require-full-coverage -# option to no. -# -# cluster-require-full-coverage yes - -# In order to setup your cluster make sure to read the documentation -# available at http://redis.io web site. - -################################## SLOW LOG ################################### - -# The Redis Slow Log is a system to log queries that exceeded a specified -# execution time. The execution time does not include the I/O operations -# like talking with the client, sending the reply and so forth, -# but just the time needed to actually execute the command (this is the only -# stage of command execution where the thread is blocked and can not serve -# other requests in the meantime). -# -# You can configure the slow log with two parameters: one tells Redis -# what is the execution time, in microseconds, to exceed in order for the -# command to get logged, and the other parameter is the length of the -# slow log. When a new command is logged the oldest one is removed from the -# queue of logged commands. - -# The following time is expressed in microseconds, so 1000000 is equivalent -# to one second. Note that a negative number disables the slow log, while -# a value of zero forces the logging of every command. -slowlog-log-slower-than 10000 - -# There is no limit to this length. Just be aware that it will consume memory. -# You can reclaim memory used by the slow log with SLOWLOG RESET. -slowlog-max-len 128 - -################################ LATENCY MONITOR ############################## - -# The Redis latency monitoring subsystem samples different operations -# at runtime in order to collect data related to possible sources of -# latency of a Redis instance. -# -# Via the LATENCY command this information is available to the user that can -# print graphs and obtain reports. -# -# The system only logs operations that were performed in a time equal or -# greater than the amount of milliseconds specified via the -# latency-monitor-threshold configuration directive. When its value is set -# to zero, the latency monitor is turned off. -# -# By default latency monitoring is disabled since it is mostly not needed -# if you don't have latency issues, and collecting data has a performance -# impact, that while very small, can be measured under big load. Latency -# monitoring can easily be enabled at runtime using the command -# "CONFIG SET latency-monitor-threshold " if needed. -latency-monitor-threshold 0 - -############################# EVENT NOTIFICATION ############################## - -# Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at http://redis.io/topics/notifications -# -# For instance if keyspace events notification is enabled, and a client -# performs a DEL operation on key "foo" stored in the Database 0, two -# messages will be published via Pub/Sub: -# -# PUBLISH __keyspace@0__:foo del -# PUBLISH __keyevent@0__:del foo -# -# It is possible to select the events that Redis will notify among a set -# of classes. Every class is identified by a single character: -# -# K Keyspace events, published with __keyspace@__ prefix. -# E Keyevent events, published with __keyevent@__ prefix. -# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... -# $ String commands -# l List commands -# s Set commands -# h Hash commands -# z Sorted set commands -# x Expired events (events generated every time a key expires) -# e Evicted events (events generated when a key is evicted for maxmemory) -# A Alias for g$lshzxe, so that the "AKE" string means all the events. -# -# The "notify-keyspace-events" takes as argument a string that is composed -# of zero or multiple characters. The empty string means that notifications -# are disabled. -# -# Example: to enable list and generic events, from the point of view of the -# event name, use: -# -# notify-keyspace-events Elg -# -# Example 2: to get the stream of the expired keys subscribing to channel -# name __keyevent@0__:expired use: -# -# notify-keyspace-events Ex -# -# By default all notifications are disabled because most users don't need -# this feature and the feature has some overhead. Note that if you don't -# specify at least one of K or E, no events will be delivered. -notify-keyspace-events "" - -############################### ADVANCED CONFIG ############################### - -# Hashes are encoded using a memory efficient data structure when they have a -# small number of entries, and the biggest entry does not exceed a given -# threshold. These thresholds can be configured using the following directives. -hash-max-ziplist-entries 512 -hash-max-ziplist-value 64 - -# Lists are also encoded in a special way to save a lot of space. -# The number of entries allowed per internal list node can be specified -# as a fixed maximum size or a maximum number of elements. -# For a fixed maximum size, use -5 through -1, meaning: -# -5: max size: 64 Kb <-- not recommended for normal workloads -# -4: max size: 32 Kb <-- not recommended -# -3: max size: 16 Kb <-- probably not recommended -# -2: max size: 8 Kb <-- good -# -1: max size: 4 Kb <-- good -# Positive numbers mean store up to _exactly_ that number of elements -# per list node. -# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), -# but if your use case is unique, adjust the settings as necessary. -list-max-ziplist-size -2 - -# Lists may also be compressed. -# Compress depth is the number of quicklist ziplist nodes from *each* side of -# the list to *exclude* from compression. The head and tail of the list -# are always uncompressed for fast push/pop operations. Settings are: -# 0: disable all list compression -# 1: depth 1 means "don't start compressing until after 1 node into the list, -# going from either the head or tail" -# So: [head]->node->node->...->node->[tail] -# [head], [tail] will always be uncompressed; inner nodes will compress. -# 2: [head]->[next]->node->node->...->node->[prev]->[tail] -# 2 here means: don't compress head or head->next or tail->prev or tail, -# but compress all nodes between them. -# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] -# etc. -list-compress-depth 0 - -# Sets have a special encoding in just one case: when a set is composed -# of just strings that happen to be integers in radix 10 in the range -# of 64 bit signed integers. -# The following configuration setting sets the limit in the size of the -# set in order to use this special memory saving encoding. -set-max-intset-entries 512 - -# Similarly to hashes and lists, sorted sets are also specially encoded in -# order to save a lot of space. This encoding is only used when the length and -# elements of a sorted set are below the following limits: -zset-max-ziplist-entries 128 -zset-max-ziplist-value 64 - -# HyperLogLog sparse representation bytes limit. The limit includes the -# 16 bytes header. When an HyperLogLog using the sparse representation crosses -# this limit, it is converted into the dense representation. -# -# A value greater than 16000 is totally useless, since at that point the -# dense representation is more memory efficient. -# -# The suggested value is ~ 3000 in order to have the benefits of -# the space efficient encoding without slowing down too much PFADD, -# which is O(N) with the sparse encoding. The value can be raised to -# ~ 10000 when CPU is not a concern, but space is, and the data set is -# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. -hll-sparse-max-bytes 3000 - -# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in -# order to help rehashing the main Redis hash table (the one mapping top-level -# keys to values). The hash table implementation Redis uses (see dict.c) -# performs a lazy rehashing: the more operation you run into a hash table -# that is rehashing, the more rehashing "steps" are performed, so if the -# server is idle the rehashing is never complete and some more memory is used -# by the hash table. -# -# The default is to use this millisecond 10 times every second in order to -# actively rehash the main dictionaries, freeing memory when possible. -# -# If unsure: -# use "activerehashing no" if you have hard latency requirements and it is -# not a good thing in your environment that Redis can reply from time to time -# to queries with 2 milliseconds delay. -# -# use "activerehashing yes" if you don't have such hard requirements but -# want to free memory asap when possible. -activerehashing yes - -# The client output buffer limits can be used to force disconnection of clients -# that are not reading data from the server fast enough for some reason (a -# common reason is that a Pub/Sub client can't consume messages as fast as the -# publisher can produce them). -# -# The limit can be set differently for the three different classes of clients: -# -# normal -> normal clients including MONITOR clients -# slave -> slave clients -# pubsub -> clients subscribed to at least one pubsub channel or pattern -# -# The syntax of every client-output-buffer-limit directive is the following: -# -# client-output-buffer-limit -# -# A client is immediately disconnected once the hard limit is reached, or if -# the soft limit is reached and remains reached for the specified number of -# seconds (continuously). -# So for instance if the hard limit is 32 megabytes and the soft limit is -# 16 megabytes / 10 seconds, the client will get disconnected immediately -# if the size of the output buffers reach 32 megabytes, but will also get -# disconnected if the client reaches 16 megabytes and continuously overcomes -# the limit for 10 seconds. -# -# By default normal clients are not limited because they don't receive data -# without asking (in a push way), but just after a request, so only -# asynchronous clients may create a scenario where data is requested faster -# than it can read. -# -# Instead there is a default limit for pubsub and slave clients, since -# subscribers and slaves receive data in a push fashion. -# -# Both the hard or the soft limit can be disabled by setting them to zero. -client-output-buffer-limit normal 0 0 0 -client-output-buffer-limit slave 256mb 64mb 60 -client-output-buffer-limit pubsub 32mb 8mb 60 - -# Redis calls an internal function to perform many background tasks, like -# closing connections of clients in timeout, purging expired keys that are -# never requested, and so forth. -# -# Not all tasks are performed with the same frequency, but Redis checks for -# tasks to perform according to the specified "hz" value. -# -# By default "hz" is set to 10. Raising the value will use more CPU when -# Redis is idle, but at the same time will make Redis more responsive when -# there are many keys expiring at the same time, and timeouts may be -# handled with more precision. -# -# The range is between 1 and 500, however a value over 100 is usually not -# a good idea. Most users should use the default of 10 and raise this up to -# 100 only in environments where very low latency is required. -hz 10 - -# When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 32 MB of data generated. This is useful -# in order to commit the file to the disk more incrementally and avoid -# big latency spikes. -aof-rewrite-incremental-fsync yes diff --git a/ansible/roles/certstore/files/cert-redis.service b/ansible/roles/certstore/files/cert-redis.service deleted file mode 100644 index 8e446727..00000000 --- a/ansible/roles/certstore/files/cert-redis.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Redis persistent key-value database -After=network.target - -[Service] -ExecStart=/usr/bin/redis-server /etc/cert-redis.conf --supervised systemd -ExecStop=/usr/libexec/redis-shutdown cert-redis -Type=notify - -[Install] -WantedBy=multi-user.target - diff --git a/ansible/roles/certstore/meta/main.yml b/ansible/roles/certstore/meta/main.yml deleted file mode 100644 index 98e39762..00000000 --- a/ansible/roles/certstore/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: redis \ No newline at end of file diff --git a/ansible/roles/certstore/tasks/main.yml b/ansible/roles/certstore/tasks/main.yml deleted file mode 100644 index c4446d78..00000000 --- a/ansible/roles/certstore/tasks/main.yml +++ /dev/null @@ -1,112 +0,0 @@ -- name: Ensures /opt/tsg exists - file: path=/opt/tsg state=directory - tags: mkdir - -#- name: "Install certstore" -# shell: rpm -i /tmp/rpm_download/{{ certstore_rpm_version.certstore }}* - -- name: "download rpm packages: certstore" - yum: - name: - - "{{ certstore_rpm_version.certstore }}" - conf_file: "{{ rpm_repo_config_path }}" - state: present - download_only: yes - download_dir: "{{ path_download }}" - -- name: "Get certstore rpm path" - find: - path: /tmp/rpm_download/ - pattern: "{{ certstore_rpm_version.certstore }}*" - register: certstore_rpm_fullname - -- name: "Install certstore from local path" - yum: - name: "{{ certstore_rpm_fullname.files[0].path }}" - state: present - disable_gpg_check: yes - -- name: template certstore configure file - template: - src: "{{ role_path }}/templates/cert_store.ini.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/cert_store.ini.j2 - when: runtime_env != 'TSG-X-P0906' - -- name: template certstore zlog file - template: - src: "{{ role_path }}/templates/zlog.conf.j2" - dest: /opt/tsg/certstore/conf/zlog.conf - -- name: "Create /usr/lib/systemd/system/certstore.service.d directory if it does not exist" - file: - path: "{{ item }}" - state: directory - mode: '0755' - with_items: - - /usr/lib/systemd/system/certstore.service.d - -- name: "copy slice file to certstore.service.d" - copy: - src: "{{ role_path }}/templates/service_override_slice.conf.j2" - dest: /usr/lib/systemd/system/certstore.service.d/service_override_slice.conf - mode: 0644 - when: runtime_env != 'TSG-X-P0906' - -- name: "copy env file to certstore.service.d" - copy: - src: "{{ role_path }}/templates/service_override_env.conf.j2" - dest: /usr/lib/systemd/system/certstore.service.d/service_override_env.conf - mode: 0644 - -- name: "Create /usr/lib/systemd/system/cert-redis.service.d directory if it does not exist" - file: - path: "{{ item }}" - state: directory - mode: '0755' - with_items: - - /usr/lib/systemd/system/cert-redis.service.d - -- name: "copy slice file to cert-redis.service.d" - copy: - src: "{{ role_path }}/templates/service_override_slice.conf.j2" - dest: /usr/lib/systemd/system/cert-redis.service.d/service_override_slice.conf - mode: 0644 - when: runtime_env != 'TSG-X-P0906' - -- name: "copy cert-redis file to dest" - copy: - src: "{{ role_path }}/files/" - dest: "{{ item.dest }}" - mode: "{{ item.mode }}" - with_items: - - { src: "cert-redis.conf" , dest: "/etc" , mode: "0644" } - - { src: "cert-redis.service" , dest: "/usr/lib/systemd/system" , mode: "0644" } - -- name: "replace action: replace service WantedBy from multi-user.target to workload.target" - replace: - path: "{{ item }}" - regexp: 'WantedBy=multi-user.target' - replace: 'WantedBy=workload.target' - with_items: - - /usr/lib/systemd/system/cert-redis.service - - /usr/lib/systemd/system/certstore.service - when: runtime_env != 'TSG-X-P0906' - -- name: "replace action: close redis-server daemonize TSG-X-0906" - replace: - path: "/etc/cert-redis.conf" - regexp: 'daemonize yes' - replace: 'daemonize no' - when: runtime_env == 'TSG-X-P0906' - -##################### certstore ##################### -- name: "start certstore" - systemd: - name: certstore.service - enabled: yes - -##################### cert-redis ##################### -- name: "start cert-redis" - systemd: - name: cert-redis.service - enabled: yes \ No newline at end of file diff --git a/ansible/roles/certstore/templates/cert_store.conf.j2 b/ansible/roles/certstore/templates/cert_store.conf.j2 deleted file mode 100644 index 5d7cc064..00000000 --- a/ansible/roles/certstore/templates/cert_store.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -#Type Path Mode User Group Age Argument -d /var/log/certstore/ 0755 - - 7d - -d /run/certstore/foreign_files 0755 - - - - -d /run/certstore/crashreport 0755 - - 30d - -L /opt/tsg/certstore/logs - - - - /var/log/certstore -L /opt/tsg/certstore/foreign_files - - - - /run/certstore/foreign_files diff --git a/ansible/roles/certstore/templates/cert_store.ini.j2.j2 b/ansible/roles/certstore/templates/cert_store.ini.j2.j2 deleted file mode 100644 index 34a5dc33..00000000 --- a/ansible/roles/certstore/templates/cert_store.ini.j2.j2 +++ /dev/null @@ -1,82 +0,0 @@ -[SYSTEM] -#1:print on screen, 0:don't -DEBUG_SWITCH = 1 -RUN_LOG_PATH = "conf/zlog.conf" - -[breakpad] -{% raw %}{% if coredump.format == 'none' %} - disable_coredump=1 - enable_breakpad=0 - enable_breakpad_upload=0 -{% endif %} -{% if coredump.format == 'core' %} - disable_coredump=0 - enable_breakpad=0 - enable_breakpad_upload=0 -{% endif %} -{% if coredump.format == 'minidump' %} - disable_coredump=1 - enable_breakpad=1 -{% if coredump.collect == 'sentry' %} - enable_breakpad_upload=1 - breakpad_upload_url={{ coredump.sentry_url }} -{% endif %} -{% if coredump.collect == 'local' %} - enable_breakpad_upload=0 -{% endif %} -{% endif %} -{% endraw %} - breakpad_minidump_dir="/run/certstore/crashreport" - breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload" -[CONFIG] -#Number of running threads -thread-nu = 4 -#1 rsync, 0 sync -mode=1 -#Local default root certificate is valid for 30 days by default -expire_after = 30 -#Local default root certificate path -local_debug = 1 -ca_path = ./cert/tsg-ca-v3-trust-ca.pem -untrusted_ca_path = ./cert/tsg-ca-v3-untrust-ca.pem - -[MAAT] -#Configure the load mode, -#0: using the configuration distribution network -#1: using local json -#2: using Redis reads -maat_json_switch=2 -#When the loading mode is sent to the network, set the scanning configuration modification interval (s). -effective_interval=1 -#Specify the location of the configuration library table file -table_info=./conf/table_info.conf -#Incremental profile path -inc_cfg_dir=./rule/inc/index -#Full profile path -full_cfg_dir=./rule/full/index -#Json file path when json schema is used -pxy_obj_keyring=./conf/pxy_obj_keyring.json - -[LIBEVENT] -#Local monitor port number, default is 9991 -port = 9991 - -[CERTSTORE_REDIS] -#The Redis server IP address and port number where the certificate is stored locally -ip = 127.0.0.1 -port = 6379 - -[MAAT_REDIS] -#Maat monitors the Redsi server IP address and port number - -ip = {% raw %}{{ cm_policy_server_ip }} -{% endraw %} -port = {% raw %}{{ cm_policy_server_port }} -{% endraw %} -{% raw %}dbindex = {{ vsys_id }} -{% endraw %} -[stat] -statsd_server=127.0.0.1 -statsd_port=8100 -statsd_set_prometheus_port=9002 -statsd_set_prometheus_url_path=/metrics \ No newline at end of file diff --git a/ansible/roles/certstore/templates/service_override_env.conf.j2 b/ansible/roles/certstore/templates/service_override_env.conf.j2 deleted file mode 100644 index 2119b2a7..00000000 --- a/ansible/roles/certstore/templates/service_override_env.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -Environment=HASPUSER_PREFIX=/etc/haspuser/ \ No newline at end of file diff --git a/ansible/roles/certstore/templates/service_override_slice.conf.j2 b/ansible/roles/certstore/templates/service_override_slice.conf.j2 deleted file mode 100644 index db248c50..00000000 --- a/ansible/roles/certstore/templates/service_override_slice.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -Slice=workload.slice \ No newline at end of file diff --git a/ansible/roles/certstore/templates/zlog.conf.j2 b/ansible/roles/certstore/templates/zlog.conf.j2 deleted file mode 100644 index bde3a4dc..00000000 --- a/ansible/roles/certstore/templates/zlog.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[global] -default format = "%d(%c), %V, %F, %U, %m%n" -rotate lock file = /tmp/certstore_zlog.lock -file perms = 644 -[levels] -DEBUG=10 -INFO=20 -FATAL=30 -[rules] -*.fatal "./logs/error.log.%d(%F)"; -*.fatal "./logs/certstore.log.%d(%F)" \ No newline at end of file diff --git a/ansible/roles/container-tools-install/tasks/main.yml b/ansible/roles/container-tools-install/tasks/main.yml deleted file mode 100644 index a0883886..00000000 --- a/ansible/roles/container-tools-install/tasks/main.yml +++ /dev/null @@ -1,178 +0,0 @@ -- name: "update all" - yum: - name: '*' - conf_file: "{{ rpm_repo_config_path }}" - state: latest - -- name: "hotfix for dnf broken" - shell: - cmd: "dnf upgrade --refresh rpm glibc && rm /var/lib/rpm/.rpm.lock && dnf upgrade dnf" - -- name: "install tcpdump" - yum: - name: tcpdump - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install numactl-libs" - yum: - name: numactl-libs - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install iproute" - yum: - name: iproute - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install iptables" - yum: - name: iptables - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install procps" - yum: - name: procps - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install net-tools" - yum: - name: net-tools - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install ethtool" - yum: - name: ethtool - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install gdb" - yum: - name: gdb - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install ipmitool" - yum: - name: ipmitool - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install liburing" - yum: - name: liburing - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install vim" - yum: - name: vim - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install lrzsz" - yum: - name: lrzsz - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install libnsl" - yum: - name: libnsl - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install perf" - yum: - name: perf - conf_file: "{{ rpm_repo_config_path }}" - state: present - releasever: 8.6 - -- name: "install libnsl" - yum: - name: jq - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install perl" - yum: - name: perl - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install perl-open" - yum: - name: perl-open - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install valgrind" - yum: - name: valgrind - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install python2" - yum: - name: python2 - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "Install python module" - shell: pip2 install -i https://pypi.tuna.tsinghua.edu.cn/simple PrettyTable==0.7.2 - -- name: "install flamegraphs for perf" - yum: - name: js-d3-flame-graph - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install python3" - yum: - name: python3 - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install python3 prettytable" - shell: python3 -m pip install prettytable - -- name: "install python3 jinja2" - shell: python3 -m pip install jinja2 - -- name: "install dnsutils" - yum: - name: dnsutils - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install wireshark" - yum: - name: wireshark - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install crudini" - yum: - name: crudini - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install inotify-tools" - yum: - name: inotify-tools - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "install python3 tomlq" - shell: python3 -m pip install tomlq - -- name: "install python3 toml" - shell: python3 -m pip install toml - -- name: "install python3 sdnotify" - shell: python3 -m pip install sdnotify \ No newline at end of file diff --git a/ansible/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml deleted file mode 100644 index 6886679f..00000000 --- a/ansible/roles/firewall/tasks/main.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -- name: "download rpm packages: firewall" - yum: - name: "{{ item.value }}" - conf_file: "{{ rpm_repo_config_path }}" - state: present - download_only: yes - download_dir: "{{ path_download }}" - with_dict: "{{ firewall_rpm_version }}" - -- name: "Install firwall that are sapp plugins" - shell: rpm -i /tmp/rpm_download/{{ item.1 }}* --prefix {{ prefix_path.sapp }} - when: - - item.0 is not search("stellar-c") - - item.0 is not search("firewall") - loop: "{{ firewall_rpm_version | dictsort }}" - -- name: "Install firwall and stellar-c rpm plugins" - shell: rpm -i /tmp/rpm_download/{{ item }}* --prefix /opt/tsg/ - with_items: - - "{{ firewall_rpm_version['stellar-c'] }}" - - "{{ firewall_rpm_version['firewall'] }}" - -- name: "Template the tsgconf/main.conf" - template: - src: "{{ role_path }}/templates/main.conf.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/main.conf.j2 - tags: template - when: runtime_env != 'TSG-X-P0906' - -- name: "Template the tsgconf/maat.conf" - template: - src: "{{ role_path }}/templates/maat.conf.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/maat.conf.j2 - tags: template - when: runtime_env != 'TSG-X-P0906' - -- name: "Template the conf/http/http.conf" - template: - src: "{{ role_path }}/templates/http.conf.j2" - dest: /opt/tsg/sapp/conf/http/http.conf - tags: template - -- name: "Template the conf/quic/main.conf" - template: - src: "{{ role_path }}/templates/quic/main.conf.j2" - dest: /opt/tsg/sapp/conf/quic/main.conf - tags: template - -- name: "Template the /opt/tsg/sapp/plug/business/firewall/firewall.inf" - template: - src: "{{ role_path }}/templates/firewall.inf.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/firewall.inf.j2 - tags: template - when: runtime_env != 'TSG-X-P0906' diff --git a/ansible/roles/firewall/templates/firewall.inf.j2.j2 b/ansible/roles/firewall/templates/firewall.inf.j2.j2 deleted file mode 100644 index 4e5fa105..00000000 --- a/ansible/roles/firewall/templates/firewall.inf.j2.j2 +++ /dev/null @@ -1,53 +0,0 @@ -[PLUGINFO] -PLUGNAME=FIREWALL -SO_PATH=./plug/business/firewall/firewall.so -INIT_FUNC=firewall_init -DESTROY_FUNC=firewall_destory - -[SSL] -FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL -FUNC_NAME=firewall_ssl_plug_entry - -[MAIL] -FUNC_FLAG=ALL -FUNC_NAME=firewall_mail_plug_entry - -[HTTP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_http_plug_entry - -[QUIC] -FUNC_FLAG=QUIC_CLIENT_HELLO,QUIC_SERVER_HELLO,QUIC_CACHED_CERT,QUIC_COMM_CERT,QUIC_CERT_CHAIN,QUIC_VERSION,QUIC_APPLICATION_DATA -FUNC_NAME=firewall_quic_plug_entry - -[FTP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_ftp_plug_entry - -[RTP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_rtp_plug_entry - -[SIP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_sip_plug_entry - -[SSH] -FUNC_FLAG=ALL -FUNC_NAME=firewall_ssh_plug_entry - -[STRATUM] -FUNC_FLAG=ALL -FUNC_NAME=firewall_stratum_plug_entry - -[RDP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_rdp_plug_entry - -[DNS] -FUNC_FLAG=ALL -FUNC_NAME=firewall_dns_plug_entry - -[DTLS] -FUNC_FLAG=ALL -FUNC_NAME=firewall_dtls_plug_entry \ No newline at end of file diff --git a/ansible/roles/firewall/templates/http.conf.j2 b/ansible/roles/firewall/templates/http.conf.j2 deleted file mode 100644 index 7310e49c..00000000 --- a/ansible/roles/firewall/templates/http.conf.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#http_special -#all regions -1 HTTP_ALL -2 HTTP_OTHER_REGIONS -#http state -3 HTTP_STATE -4 HTTP_REQ_LINE -5 HTTP_RES_LINE -6 HTTP_CONTENT -7 HTTP_UNGZIP_CONTENT -8 HTTP_MESSAGE_URL -9 HTTP_URI -#http_request -10 HTTP_HOST -11 HTTP_REFERER -12 HTTP_USER_AGENT -13 HTTP_COOKIE -14 HTTP_PROXY_AUTHORIZATION -15 HTTP_AUTHORIZATION -#http_response -16 HTTP_LOCATION -17 HTTP_SERVER -18 HTTP_ETAG -#http_general -19 HTTP_DATE -20 HTTP_TRAILER -21 HTTP_TRANSFER_ENCODING -22 HTTP_VIA -23 HTTP_PRAGMA -24 HTTP_CONNECTION -#http_content -25 HTTP_CONT_ENCODING -26 HTTP_CONT_LANGUAGE -27 HTTP_CONT_LOCATION -28 HTTP_CONT_DISPOSITION -29 HTTP_CONT_RANGE -30 HTTP_CONT_LENGTH -31 HTTP_CONT_TYPE -32 HTTP_CHARSET -33 HTTP_EXPIRES -34 HTTP_X_FLASH_VERSION -35 HTTP_TRANSFER_LENGTH -36 Set-Cookie diff --git a/ansible/roles/firewall/templates/maat.conf.j2.j2 b/ansible/roles/firewall/templates/maat.conf.j2.j2 deleted file mode 100644 index d667d912..00000000 --- a/ansible/roles/firewall/templates/maat.conf.j2.j2 +++ /dev/null @@ -1,59 +0,0 @@ -[CM_STATIC_MAAT] -###file, json, redis -MAAT_MODE=redis -STAT_SWITCH=1 -PERF_SWITCH=0 -HIT_GROUP_SWITCH=1 -TABLE_INFO=tsgconf/firewall_cm_maat_tableinfo.json -STAT_FILE=metrics/firewall_cm_maat_stat.json -EFFECT_INTERVAL_MS=1000 -GARBAGE_COLLECT_MS=60000 -RULE_UPDATE_CHECK_INTERVAL_MS=1000 -REDIS_IP={% raw %}{{ cm_policy_server_ip }} -{% endraw %} -REDIS_PORT={% raw %}{{ cm_policy_server_port }} -{% endraw %} -{% raw %}REDIS_INDEX={{ vsys_id }} -{% endraw %} -JSON_CFG_FILE=tsgconf/firewall_cm_maat_rule.json -INC_CFG_DIR=tsgrule/inc/index/ -FULL_CFG_DIR=tsgrule/full/index/ -EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json -LOG_PATH="log/firewall.cm.maat" - -[SD_DYNAMIC_MAAT] -MAAT_MODE=redis -STAT_SWITCH=1 -PERF_SWITCH=1 -TABLE_INFO=tsgconf/firewall_sd_maat_tableinfo.json -STAT_FILE=metrics/firewall_sd_maat_stat.json -EFFECT_INTERVAL_MS=100 -GARBAGE_COLLECT_MS=30000 -RULE_UPDATE_CHECK_INTERVAL_MS=100 -REDIS_IP=127.0.0.1 -REDIS_PORT_NUM=1 -REDIS_PORT=7002 -REDIS_INDEX=1 -JSON_CFG_FILE=tsgconf/firewall_sd_maat_rule.json -INC_CFG_DIR=tsgrule/inc/index/ -FULL_CFG_DIR=tsgrule/full/index/ -EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json -LOG_PATH="log/firewall.sd.maat" - -[MAAT] -{% raw %}{% set tags_list = [] %} -{% if data_center.name is defined %} -{% set tag_json = "{\"tag\":\"" ~ "data_center" ~ "\",\"value\":\"" ~ data_center.name ~ "\"}" %} -{{tags_list.append(tag_json)}}{% endif %} -{% if device.tags is defined %} -{% for device_tag in device.tags %} -{% for key,value in device_tag.items() %} -{% set tag_json = "{\"tag\":\"" ~ key ~ "\",\"value\":\"" ~ value ~ "\"}" %} -{{tags_list.append(tag_json)}}{% endfor %} -{% endfor %} -{% endif %} -{% if data_center.name is not defined and device.tags is not defined %} -{{ device.tags }} -{% endif %} -ACCEPT_TAGS={"tags":[{{ tags_list | join(",") }}]} -{% endraw %} diff --git a/ansible/roles/firewall/templates/main.conf.j2.j2 b/ansible/roles/firewall/templates/main.conf.j2.j2 deleted file mode 100644 index 7ad1ea28..00000000 --- a/ansible/roles/firewall/templates/main.conf.j2.j2 +++ /dev/null @@ -1,118 +0,0 @@ -[MAAT] -PROFILE="./tsgconf/maat.conf" - -[TSG_LOG] -IPFIX_SCHEMA_PROFILE=./tsgconf/firewall_logger_ipfix_schema.json -LOGGER_SCHEMA_PROFILE=./tsgconf/firewall_logger_transmitter_schema.json - -TRAFFIC_VSYSTEM_ID={% raw %}{{ vsys_id }} -{% endraw %} - -NIC_NAME="{{ control_and_policy.nic_name }}" - -COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf" -{% raw %} -{% if sessionrecord.enable_contains_app_id == 1 %} -SEND_APP_ID_SWITCH=1 -{% else %} -SEND_APP_ID_SWITCH=0 -{% endif %} -{% if sessionrecord.enable_interim_record == 1 %} -SEND_INTERIM_RECORD=1 -{% else %} -SEND_INTERIM_RECORD=0 -{% endif %} -{% if sessionrecord.enable_transcation_record == 1 %} -SEND_TRANSACTION_RECORD=1 -{% else %} -SEND_TRANSACTION_RECORD=0 -{% endif %} -{% endraw %} - -[SYSTEM] -NIC_NAME="{{ control_and_policy.nic_name }}" -{% raw %}{% if data_center.id is defined %} -DATACENTER_ID={{ data_center.id }} -{% elif session_id_generator.snowflake_worker_id_base is defined %} -DATACENTER_ID={{ session_id_generator.snowflake_worker_id_base }} -{% else %} -DATACENTER_ID={{ session_id_generator.snowflake_worker_id_base }} -{% endif %} -{% endraw %} -LOG_LEVEL=30 -LOG_PATH="firewall.log" -L7_PROTOCOL_FILE="./tsgconf/firewall_l7_protocol.conf" -DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'adc' '{print $2}'" -{% raw %}{% if device.sequence_in_data_center is defined %} -DEVICE_SEQ_IN_DATA_CENTER={{ device.sequence_in_data_center }} -{% elif session_id_generator.snowflake_worker_id_offset is defined %} -DEVICE_SEQ_IN_DATA_CENTER={{ session_id_generator.snowflake_worker_id_offset }} -{% else %} -DEVICE_SEQ_IN_DATA_CENTER={{ session_id_generator.snowflake_worker_id_offset }} -{% endif %} -{% endraw %} -GENERATE_JA3_FINGERPRINT=1 -PERIODIC_SCAN_INTERVAL_MS=120000 - -APPSKETCH_SWITCH=1 - -[FIREWALL] -# hijack, replace -PACKET_RESPONSE_MODE=replace -HTTP_PAGE200=./tsgconf/HTTP200.html -HTTP_PAGE204=./tsgconf/HTTP204.html -HTTP_PAGE403=./tsgconf/HTTP403.html -HTTP_PAGE404=./tsgconf/HTTP404.html - -[FIREWALL_LOCAL_STAT] -STAT_NAME="firewall" -STAT_INTERVAL_TIME_S=5 -STAT_OUTPATH="metrics/firewall_local_file_stat.json" - -[qdpi_detector] -debug_swtich=30 -intput_max_packet=20 -qmdpi_engine_config=injection_mode=stream;nb_workers={{ workload_firewall.worker_threads }};nb_flows=8000;basic_dpi_enable=1;classification_cache_enable=0;fm_flow_table_alloc_mode=0 - -{% if dp_steering_firewall.enable_mirror == 1 %} -[TRAFFIC_MIRROR] -TRAFFIC_MIRROR_ENABLE=1 -NIC_NAME="{{ dp_traffic_mirror.nic_name }}" -DEFAULT_VLAN_ID={{ dp_traffic_mirror.traffic_mirror_vlan_id }} -{% endif %} - -{% raw %} -[SHAPING] -SWARMKV_CLUSTER_NAME="tsg-shaping-vsys{{ vsys_id }}" -SWARMKV_NODE_IP="0.0.0.0" -SWARMKV_NODE_PORT=8551 -SWARMKV_CONSUL_IP="127.0.0.1" -SWARMKV_CONSUL_PORT=8500 - -SWARMKV_CLUSTER_ANNOUNCE_IP="127.0.0.1" -SWARMKV_CLUSTER_ANNOUNCE_PORT=8551 - -SWARMKV_HEALTH_CHECK_PORT=8552 -SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=8552 - -TELEGRAF_IP="127.0.0.1" -TELEGRAF_PORT=8200 -SESSION_QUEUE_LEN_MAX=128 -PRIORITY_QUEUE_LEN_MAX=1024 -#POLLING_NODE_NUM_MAX=[ 3, 2, 2, 1, 1, 1, 1, 1, 1, 1 ] -POLLING_NODE_NUM_MAX={"polling_node_num_max":[ 3, 2, 2, 1, 1, 1, 1, 1, 1, 1 ]} -{% endraw %} - -[PROTO_IDENTIFY] -MAX_IDENTIFY_PACKETS=10 - -[SESSION_FLAGS] -#RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[ "frequency", "block_frequency", "cumulative_sums", "runs", "longest_run", "rank", "non_overlapping_template_matching", "overlapping_template_matching", "universal", "random_excursions", "random_excursions_variant", "poker_detect", "runs_distribution", "self_correlation", "binary_derivative" ]} -RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[]} - -[SF_CLASSIFIER] -SYNC_MODE=1 - -[STAT_POLICY_ENFORCER] -POLICY_CYCLE_INTERVAL_S=1 -POLICY_CYCLE_NUM_SUBMIT=4 diff --git a/ansible/roles/firewall/templates/quic/main.conf.j2 b/ansible/roles/firewall/templates/quic/main.conf.j2 deleted file mode 100644 index c66168ec..00000000 --- a/ansible/roles/firewall/templates/quic/main.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[QUIC] -QUIC_PORT_LIST=443;8443;4433; diff --git a/ansible/roles/framework/files/framework.conf b/ansible/roles/framework/files/framework.conf deleted file mode 100644 index ed8ac775..00000000 --- a/ansible/roles/framework/files/framework.conf +++ /dev/null @@ -1 +0,0 @@ -/opt/tsg/framework/lib/ diff --git a/ansible/roles/framework/files/framework.sh b/ansible/roles/framework/files/framework.sh deleted file mode 100644 index 017ce81f..00000000 --- a/ansible/roles/framework/files/framework.sh +++ /dev/null @@ -1 +0,0 @@ -export PATH=/opt/tsg/framework/bin:$PATH diff --git a/ansible/roles/framework/tasks/main.yml b/ansible/roles/framework/tasks/main.yml deleted file mode 100644 index ec4974ba..00000000 --- a/ansible/roles/framework/tasks/main.yml +++ /dev/null @@ -1,66 +0,0 @@ -- name: "copy framework rpms to destination server" - copy: - src: "{{ role_path }}/files/" - dest: "/tmp/ansible_deploy/" - -- name: "uninstall rsyslog-kafka and librdkafka" - yum: - name: "{{ item }}" - state: absent - with_items: - - rsyslog-kafka - - librdkafka - -- name: "download rpm packages: framework" - yum: - name: "{{ item.1 }}" - state: present - conf_file: "{{ rpm_repo_config_path }}" - download_only: yes - download_dir: "{{ path_download }}" - loop: "{{ framework_rpm_version | dictsort }}" - when: - - item.1 is not search("libswarmkv-tools") - - item.1 is not search("libswarmkv") - -- name: "download rpm packages: libswarmkv" - yum: - name: "{{ item }}" - state: present - conf_file: "{{ rpm_repo_config_path }}" - download_only: yes - download_dir: "{{ path_download }}" - with_items: - - "{{ framework_rpm_version['18_libswarmkv'] }}" - - "{{ framework_rpm_version['19_libswarmkv-tools'] }}" - when: runtime_env == 'TSG-X-P0906' - -- name: "Install frameworks" - shell: rpm -i /tmp/rpm_download/{{ item.1 }}* --prefix {{ prefix_path.framework }} - when: - - item.1 is not search("libswarmkv-tools") - - item.1 is not search("libswarmkv") - loop: "{{ framework_rpm_version | dictsort }}" - -- name: "Install libswarmkv-tool" - shell: rpm -i /tmp/rpm_download/{{ item }}* --prefix {{ prefix_path.framework }} --nodeps - with_items: - - "{{ framework_rpm_version['18_libswarmkv'] }}" - - "{{ framework_rpm_version['19_libswarmkv-tools'] }}" - when: runtime_env == 'TSG-X-P0906' - -- name: "mkdir /etc/ld.so.conf.d/" - file: - path: /etc/ld.so.conf.d/ - state: directory - -- name: "copy framework.conf to destination server" - copy: - src: "{{ role_path }}/files/framework.conf" - dest: /etc/ld.so.conf.d/ - -- name: "copy framework.sh to destination for execute files of framework" - copy: - src: "{{ role_path }}/files/framework.sh" - dest: /etc/profile.d/ - mode: 0755 \ No newline at end of file diff --git a/ansible/roles/http_healthcheck/tasks/main.yml b/ansible/roles/http_healthcheck/tasks/main.yml deleted file mode 100644 index c2a0b0c6..00000000 --- a/ansible/roles/http_healthcheck/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: "download rpm packages: http_healthcheck" - yum: - name: "{{ http_healthcheck_rpm_version.http_healthcheck }}" - conf_file: "{{ rpm_repo_config_path }}" - state: present - download_only: yes - download_dir: "{{ path_download }}" - -- name: "Install http_healthcheck that is sapp plugins" - shell: rpm -i /tmp/rpm_download/{{ http_healthcheck_rpm_version.http_healthcheck }}* --prefix {{ prefix_path.sapp }} \ No newline at end of file diff --git a/ansible/roles/redis/files/redis-6.2.5-1.el7.remi.x86_64.rpm b/ansible/roles/redis/files/redis-6.2.5-1.el7.remi.x86_64.rpm deleted file mode 100644 index 3d0d1e04..00000000 Binary files a/ansible/roles/redis/files/redis-6.2.5-1.el7.remi.x86_64.rpm and /dev/null differ diff --git a/ansible/roles/redis/files/redis_exporter b/ansible/roles/redis/files/redis_exporter deleted file mode 100644 index 4a6fe692..00000000 Binary files a/ansible/roles/redis/files/redis_exporter and /dev/null differ diff --git a/ansible/roles/redis/tasks/main.yml b/ansible/roles/redis/tasks/main.yml deleted file mode 100644 index 37c516b3..00000000 --- a/ansible/roles/redis/tasks/main.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: "redis rpm install:copy file to device" - copy: - src: '{{ role_path }}/files/' - dest: /tmp/ansible_deploy/ - -- name: "redis rpm install:install redis" - yum: - name: - - "/tmp/ansible_deploy/redis-6.2.5-1.el7.remi.x86_64.rpm" - state: present - disable_gpg_check: yes - -- name: "Create /usr/lib/systemd/system/redis.service.d directory if it does not exist" - file: - path: "{{ item }}" - state: directory - mode: '0755' - with_items: - - /usr/lib/systemd/system/redis.service.d - -- name: "copy slice file to redis.service.d" - copy: - src: "{{ role_path }}/templates/service_override_slice.conf.j2" - dest: /usr/lib/systemd/system/redis.service.d/service_override_slice.conf - mode: 0644 - when: runtime_env != 'TSG-X-P0906' - -- name: "redis exporter" - copy: - src: '{{ role_path }}/files/' - dest: /usr/bin/ - mode: 0755 diff --git a/ansible/roles/redis/templates/service_override_slice.conf.j2 b/ansible/roles/redis/templates/service_override_slice.conf.j2 deleted file mode 100644 index db248c50..00000000 --- a/ansible/roles/redis/templates/service_override_slice.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -Slice=workload.slice \ No newline at end of file diff --git a/ansible/roles/sapp/files/service_attach_startpre.conf.except_tera b/ansible/roles/sapp/files/service_attach_startpre.conf.except_tera deleted file mode 100644 index b6fe657d..00000000 --- a/ansible/roles/sapp/files/service_attach_startpre.conf.except_tera +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -ExecStartPre=/bin/bash -c "echo 'Sapp pre start'" diff --git a/ansible/roles/sapp/files/service_attach_startpre.conf.tera b/ansible/roles/sapp/files/service_attach_startpre.conf.tera deleted file mode 100644 index f5050126..00000000 --- a/ansible/roles/sapp/files/service_attach_startpre.conf.tera +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -ExecStartPre=/bin/bash tera_fake_promisc_setup.sh diff --git a/ansible/roles/sapp/files/tera_fake_promisc_setup.sh b/ansible/roles/sapp/files/tera_fake_promisc_setup.sh deleted file mode 100644 index 9236080f..00000000 --- a/ansible/roles/sapp/files/tera_fake_promisc_setup.sh +++ /dev/null @@ -1,4 +0,0 @@ -set -ex -dp_adapter_ether_addr=$(ifconfig eth_rsv | grep ether | awk '{print $2}') -bpf_rule="ether dst $dp_adapter_ether_addr or ether dst 02:42:c0:a8:fd:03 or ether dst 02:42:c0:a8:fd:85 or ether dst 02:42:c0:a8:fd:82" -sed -i "/BSD_packet_filter=/s/=.*/=\"$bpf_rule\"/" etc/sapp.toml diff --git a/ansible/roles/sapp/tasks/main.yml b/ansible/roles/sapp/tasks/main.yml deleted file mode 100644 index f7f2791c..00000000 --- a/ansible/roles/sapp/tasks/main.yml +++ /dev/null @@ -1,223 +0,0 @@ ---- -- name: "download rpm packages: sapp and tcpdump_mesa" - yum: - name: "{{ item.value }}" - conf_file: "{{ rpm_repo_config_path }}" - state: present - download_only: yes - download_dir: "{{ path_download }}" - with_dict: "{{ sapp_rpm_version }}" - -- name: "download rpm packages: jemalloc" - yum: - name: "jemalloc" - conf_file: "{{ rpm_repo_config_path }}" - state: present - -- name: "Create directory /opt/tsg/framework and /opt/tsg/sapp if they not exist" - file: - path: "{{ item }}" - state: directory - mode: '0644' - with_items: - - /opt/tsg/sapp - - /opt/tsg/framework - -- name: "Install sapp rpm package" - shell: rpm -i /tmp/rpm_download/{{ item.value }}* --prefix {{ prefix_path.sapp }} - when: item.key is search("sapp") - with_dict: "{{ sapp_rpm_version }}" - -- name: "Install tcpdump_mesa rpm package" - shell: rpm -i /tmp/rpm_download/{{ sapp_rpm_version.tcpdump_mesa }}* --prefix {{ prefix_path.framework }} - -- name: replace sapp service - replace: - path: "{{ item }}" - regexp: '/home/mesasoft/sapp_run' - replace: '/opt/tsg/sapp' - with_items: - - /usr/lib/systemd/system/sapp.service - - /etc/sysconfig/sapp - -- name: replace Requires to Wants in sapp service file - replace: - path: "{{ item }}" - regexp: 'Requires' - replace: 'Wants' - with_items: - - /usr/lib/systemd/system/sapp.service - -- name: "mkdir tsgconf" - file: - path: /opt/tsg/sapp/tsgconf - state: directory - -- name: Template the sapp.toml - template: - src: "{{ role_path }}/templates/sapp.toml.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/sapp.toml.j2 - tags: template - when: runtime_env != 'TSG-X-P0906' - -- name: Template the project_list.conf - template: - src: "{{ role_path }}/templates/project_list.conf.j2" - dest: /opt/tsg/sapp/etc/project_list.conf - tags: template - -- name: Template the send_raw_pkt.conf - template: - src: "{{ role_path }}/templates/send_raw_pkt.conf.j2" - dest: /opt/tsg/sapp/etc/send_raw_pkt.conf - tags: template - when: runtime_env != 'TSG-X-P0906' - -- name: Template the conflist.inf - tsg_server - template: - src: "{{ role_path }}/templates/conflist.inf.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/conflist.inf.j2 - tags: template - when: runtime_env != 'TSG-X-P0906' - -- name: Template the entrylist.conf.j2 - template: - src: "{{ role_path }}/templates/entrylist.conf.j2" - dest: /opt/tsg/sapp/etc/entrylist.conf - tags: template - -- name: Template the asymmetric_addr_layer.conf.j2 - template: - src: "{{ role_path }}/templates/asymmetric_addr_layer.conf.j2" - dest: /opt/tsg/sapp/etc/asymmetric_addr_layer.conf - tags: template - -- name: Template the necessary_plug_list.conf - 7400-MCN0 and 9140 - template: - src: "{{ role_path }}/templates/necessary_plug_list.conf.j2" - dest: /opt/tsg/sapp/etc/necessary_plug_list.conf - tags: template - -- name: Template the vlan_flipping_map.conf - tsg-7400 - template: - src: "{{ role_path }}/templates/vlan_flipping_map.conf.j2.j2.7400MCN0P01R01" - dest: /opt/tsg/tsg-os-provision/templates/vlan_flipping_map.conf.j2 - tags: template - when: - - runtime_env == 'TSG-7400-mcn0' - -- name: Template the sapp_log.conf - template: - src: "{{ role_path }}/templates/sapp_log.conf.j2" - dest: /opt/tsg/sapp/etc/sapp_log.conf - tags: template - -- name: Template the sapp_tmpfile.conf - template: - src: "{{ role_path }}/templates/sapp_tmpfile.conf.j2" - dest: /usr/lib/tmpfiles.d/sapp_tmpfile.conf - tags: template - -- name: Template the gdev.conf - template: - src: "{{ role_path }}/templates/gdev.conf.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/gdev.conf.j2 - tags: template - when: runtime_env != 'TSG-X-P0906' - -- name: Template the well_known_port.conf - template: - src: "{{ role_path }}/templates/well_known_port.conf.j2" - dest: /opt/tsg/sapp/etc/well_known_port.conf - tags: template - - -- name: "Create /usr/lib/systemd/system/sapp.service.d/ directory if it does not exist" - file: - path: "{{ item }}" - state: directory - mode: '0755' - with_items: - - /usr/lib/systemd/system/sapp.service.d - -- name: "sapp: service override timeoutsec" - template: - src: "{{ role_path }}/templates/service_override_timeoutsec.conf.j2" - dest: /usr/lib/systemd/system/sapp.service.d/service_override_timeoutsec.conf - mode: 0644 - -- name: "copy slice file to sapp.service.d" - copy: - src: "{{ role_path }}/templates/service_override_slice.conf.j2" - dest: /usr/lib/systemd/system/sapp.service.d/service_override_slice.conf - mode: 0644 - when: runtime_env != 'TSG-X-P0906' - -- name: "copy env conf to sapp.service.d" - copy: - src: "{{ role_path }}/templates/service_override_env.conf.j2" - dest: /usr/lib/systemd/system/sapp.service.d/service_override_env.conf - mode: 0644 - -- name: "copy fake promisc tools for tera mode - service file and scripts" - copy: - src: "{{ item.src }}" - dest: /opt/tsg/tsg-os-provision/files/ - mode: "{{ item.mode }}" - with_items: - - { src: "{{ role_path }}/files/service_attach_startpre.conf.tera", mode: "0644" } - - { src: "{{ role_path }}/files/service_attach_startpre.conf.except_tera", mode: "0644" } - - { src: "{{ role_path }}/files/tera_fake_promisc_setup.sh", mode: "0755" } - when: - - runtime_env == 'TSG-7400-mcn0' - -- name: "replace action: replace service WantedBy from multi-user.target to workload.target" - replace: - path: "{{ item }}" - regexp: 'WantedBy=multi-user.target' - replace: 'WantedBy=workload.target' - with_items: - - /usr/lib/systemd/system/sapp.service - when: runtime_env != 'TSG-X-P0906' - -- name: "mkdir -p /opt/tsg/sapp/bin" - file: - path: /opt/tsg/sapp/bin - state: directory - when: runtime_env != 'TSG-X-P0906' - -- name: "copy set_shaping_addr.sh file to dest" - template: - src: "{{ role_path }}/templates/set_shaping_addr.sh.j2" - dest: /opt/tsg/sapp/bin/set_shaping_addr.sh - mode: 0755 - when: runtime_env != 'TSG-X-P0906' - -- name: "copy set_shaping_addr.sh file to dest" - template: - src: "{{ role_path }}/templates/set_shaping_addr.sh.j2" - dest: /opt/tsg/sapp/bin/set_shaping_addr.sh - mode: 0755 - when: runtime_env != 'TSG-X-P0906' - -- name: "copy startpre file to sapp.service.d" - copy: - src: "{{ role_path }}/templates/service_startpre.conf.j2" - dest: /usr/lib/systemd/system/sapp.service.d/service_startpre.conf - mode: 0644 - when: runtime_env != 'TSG-X-P0906' - -- name: 'delete r2,r3' - file: - path: "/opt/tsg/sapp/{{ item }}" - state: absent - with_items: - - r2 - - r3 - - -##################### sapp ##################### -- name: "enable sapp" - systemd: - name: sapp - enabled: yes diff --git a/ansible/roles/sapp/templates/asymmetric_addr_layer.conf.j2 b/ansible/roles/sapp/templates/asymmetric_addr_layer.conf.j2 deleted file mode 100644 index f4dcd827..00000000 --- a/ansible/roles/sapp/templates/asymmetric_addr_layer.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -#layer name definition: ipv4, ipv6, ethernet,vlan, arp, gre, mpls, pppoe, tcp, udp, l2tp, ppp, pptp, gtp -#pattern: asymmetric_layer_name[layer index] -#The symbol "*" represents any layer -ethernet[*] -vlan[*] -vxlan[*] -mpls[*] -gre[*] -gtp[*] diff --git a/ansible/roles/sapp/templates/conflist.inf.j2.j2 b/ansible/roles/sapp/templates/conflist.inf.j2.j2 deleted file mode 100644 index c0076f3c..00000000 --- a/ansible/roles/sapp/templates/conflist.inf.j2.j2 +++ /dev/null @@ -1,46 +0,0 @@ -[platform] -./plug/stellar_on_sapp/start_loader.inf - -{% if ddossketch.enable == 1 %} -./plug/platform/tsg_ddos_sketch/tsg_ddos_sketch.inf -{% endif %} -{% endraw %} - -[protocol] -./plug/protocol/deal_socks/deal_socks.inf -{% raw %}{% if firewall.enable_sip == 1 %} -./plug/protocol/sip/sip.inf -{% endif %} -{% endraw %} -./plug/protocol/rtp/rtp.inf -./plug/protocol/ssl/ssl.inf -./plug/protocol/http/http.inf -./plug/protocol/dns/dns.inf -./plug/protocol/mail/mail.inf -./plug/protocol/ftp/ftp.inf -./plug/protocol/quic/quic.inf -./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf -./plug/protocol/ssh/ssh.inf -./plug/protocol/stratum/stratum.inf -./plug/protocol/rdp/rdp.inf -{% raw %}{% if firewall.enable_dtls == 1 %} -./plug/protocol/dtls/dtls.inf -{% endif %} -{% endraw %} - -[business] -{% raw %}{% if firewall.enable == 1 %} -./plug/business/firewall/firewall.inf -{% endif %} -{% if proxy.enable == 1 %} -./plug/business/kni/kni.inf -{% endif %} -./plug/business/conn_telemetry/conn_telemetry.inf -{% endraw %} -{% if runtime_env == 'TSG-7400-mcn0' %} -{% raw %}{% if npb_device == 'tera' %} -./plug/business/http_healthcheck/http_healthcheck.inf -{% endif %} -{% endraw %} -{% endif %} -./plug/stellar_on_sapp/defer_loader.inf \ No newline at end of file diff --git a/ansible/roles/sapp/templates/entrylist.conf.j2 b/ansible/roles/sapp/templates/entrylist.conf.j2 deleted file mode 100644 index bb9b411a..00000000 --- a/ansible/roles/sapp/templates/entrylist.conf.j2 +++ /dev/null @@ -1,24 +0,0 @@ -IP -IPV6 -IPV6_RAW -TCP_ALL -TCP -UDP -PHONY -POLLING -IPSEC -L2TP -PPTP -DNS -QUIC -HTTP -MAIL -FTP -SSL -RTP -SIP -SSH -SOCKS -STRATUM -RDP -DTLS \ No newline at end of file diff --git a/ansible/roles/sapp/templates/gdev.conf.j2.j2 b/ansible/roles/sapp/templates/gdev.conf.j2.j2 deleted file mode 100644 index d6c9b87f..00000000 --- a/ansible/roles/sapp/templates/gdev.conf.j2.j2 +++ /dev/null @@ -1,6 +0,0 @@ -[Module] -pcapdevice={{ dp_steering_firewall.nic_internal }} -sendto_gdev_card={{ dp_steering_firewall.nic_internal }} -sendto_gdev_ip={% raw %}{{ gdev_conf_keep_alive_ip }} -{% endraw %} -gdev_status_switch=1 diff --git a/ansible/roles/sapp/templates/necessary_plug_list.conf.j2 b/ansible/roles/sapp/templates/necessary_plug_list.conf.j2 deleted file mode 100644 index 1b9a89e1..00000000 --- a/ansible/roles/sapp/templates/necessary_plug_list.conf.j2 +++ /dev/null @@ -1,23 +0,0 @@ -#以下插件如果加载,初始化失败, sapp平台会退出; -#插件的路径来自配置文件 ./plug/conflist.inf, 不需要加段落标识[platform],[protocol],[business]等. -#If the following plugins fail to initialize, the sapp platform will exit. -#The name of the plugin comes from the configuration ./plug/conflist.inf, section identification is not required. - -./plug/protocol/sip/sip.inf -./plug/protocol/rtp/rtp.inf -./plug/protocol/ssl/ssl.inf -./plug/protocol/ssh/ssh.inf -./plug/protocol/http/http.inf -./plug/protocol/dns/dns.inf -./plug/protocol/mail/mail.inf -./plug/protocol/ftp/ftp.inf -./plug/protocol/quic/quic.inf -./plug/protocol/rdp/rdp.inf -./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf -./plug/business/kni/kni.inf -./plug/business/conn_telemetry/conn_telemetry.inf -./plug/business/http_healthcheck/http_healthcheck.inf -./plug/platform/tsg_ddos_sketch/tsg_ddos_sketch.inf 1 -./plug/business/firewall/firewall.inf -./plug/stellar_on_sapp/start_loader.inf -./plug/stellar_on_sapp/defer_loader.inf \ No newline at end of file diff --git a/ansible/roles/sapp/templates/project_list.conf.j2 b/ansible/roles/sapp/templates/project_list.conf.j2 deleted file mode 100644 index ce5e9a35..00000000 --- a/ansible/roles/sapp/templates/project_list.conf.j2 +++ /dev/null @@ -1,20 +0,0 @@ -tcp_flow_stat struct -udp_flow_stat struct -tcp_deduce_flow_stat struct -POLICY_PRIORITY struct -ESTABLISH_LATENCY long -MAIL_IDENTIFY int -TSG_MASTER_INTERNAL_LABEL struct -APP_ID_LABEL struct -BASIC_PROTO_LABEL struct -USER_DEFINED_ATTRIBUTE struct -SKETCH_TRANS_LAYER_CTX_LABEL struct -SKETCH_PROTO_CTX_LABEL struct -common_link_info_c2s struct -common_link_info_s2c struct -common_link_info struct -JA3_FINGERPRINT_LABEL struct -DKPT_PRO_V2 struct -DPKT_PROJECT_V2 struct -PPROJECT_PRO_V2 struct -DPKT_BHSTAT_PROJECT struct diff --git a/ansible/roles/sapp/templates/sapp.toml.j2.j2 b/ansible/roles/sapp/templates/sapp.toml.j2.j2 deleted file mode 100644 index 9a05d4f9..00000000 --- a/ansible/roles/sapp/templates/sapp.toml.j2.j2 +++ /dev/null @@ -1,299 +0,0 @@ -################################################################################################### -# NOTE: -# The format of this file is toml (https://github.com/cktan/tomlc99) -# to make vim editor display colorful and human readable, -# you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini -################################################################################################### - -[SYSTEM] -instance_name = "sapp4" - -[CPU] -### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as [] -worker_threads={{ workload_firewall.worker_threads }} -send_only_threads_max={{ workload_firewall.send_only_threads_max }} -bind_mask=[{{ workload_firewall.cpu_affinity }}] - -[MEM] -dictator_enable=0 - -[PACKET_IO] - - [overlay_tunnel_definition] -### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat, -### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat. - l2_l3_tunnel_support=1 - -### note, optional value is [none, vxlan] -{% if dp_steering_firewall.encapsulation == 'vlan' or dp_steering_firewall.encapsulation == 'raw' %} - overlay_mode="none" -{% endif %} -{% if dp_steering_firewall.encapsulation == 'vxlan' %} - overlay_mode="vxlan" -{% endif %} -{% if dp_steering_firewall.encapsulation == 'provision' %} - overlay_mode={% raw %}{{ sapp_overlay_mode }} - {% endraw %} -{% endif %} - [packet_io.feature] - - destroy_all_plug_enabled = 0 - - ### note, used to represent inbound or outbound direction value, - ### because it comes from Third party device, so it needs to be specified manually, - ### if inbound_route_dir=1, then outbound_route_dir=0, vice versa, - ### in other words, outbound_route_dir = 1 ^ inbound_route_dir; - inbound_route_dir=1 - -### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as "" - BSD_packet_filter="" - -### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in" - pcap_capture_direction="in" - - -### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway] -### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode; -### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket. -### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain. -### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain. - inject_pkt_mode="default" - inject_pkt_prepend_segment_id=0 -### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port. - #inject_mode_inline_device_sport=54789 - -### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway. - #inject_mode_single_gateway_device="eth1" -### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device - #inject_mode_single_gateway_src_mac="00:11:22:77:88:99" - #inject_mode_single_gateway_dst_mac="00:11:22:33:44:55" - #dumpfile_sleep_time_before_exit=3 - -### note, deployment.mode options: [mirror, inline, transparent] - [packet_io.deployment] -{% if dp_steering_firewall.deployment == 'inline' %} - mode="inline" -{% endif %} -{% if dp_steering_firewall.deployment == 'mirror' %} - mode="mirror" -{% endif %} -{% if dp_steering_firewall.deployment == 'transparent' %} - mode="transparent" -{% endif %} - -### note, interface.type options: [pag,pcap,marsio] - [packet_io.internal.interface] -{% if dp_steering_firewall.capture_packet == 'driver' %} - type="marsio" -{% endif %} -{% if dp_steering_firewall.capture_packet == 'pcap' %} - type="pcap" -{% endif %} - name={{ dp_steering_firewall.nic_internal }} - [packet_io.external.interface] - type="pcap" - name=lo - - [packet_io.polling] -### note, polling_priority = call sapp_recv_pkt every call polling_entry times, - polling_priority=100 - - [packet_io.under_ddos] -### note, to reduce impact of ddos attack,set some stream bypass, all plugins will not process these streams -{% raw %}stream_bypass_enabled={{ feature.enable_stream_bypass_under_ddos }} -{% endraw %} - -### note, cpu usage value is percent, for example, config value is 85, means 85%, valid range: [1,100] -### sapp change to bypass state immediately when realtime cpu usage > bypass_trigger_cpu_usage -{% raw %}bypass_trigger_cpu_usage={{ advanced_settings.stream_bypass_trigger_cpu_usage }} -{% endraw %} - -### note, unit of get_cpu_usage_interval is milliseconds(ms) - get_cpu_usage_interval=500 -### note, use the average of the last $smooth_avg_window times as current realtime value - smooth_avg_window=2 - - decrease_ratio="0.95" - increase_ratio="1.005" -### note, unit of bypass_observe_time is second(s) - recovery_observe_time=30 - -[PROTOCOL_FEATURE] - ipv6_decapsulation_enabled=1 - ipv6_send_packet_enabled=1 - tcp_drop_pure_ack_pkt=0 - tcp_syn_option_parse_enabled=1 - skip_not_ip_layer_over_eth=0 - skip_gtp_seq_field_for_inject=1 - -[DUPLICATE_PKT] -[dup_pkt.traffic.original] - kickout_udp_stream_enabled=0 - original_ipv4_tcp_enabled=1 - original_ipv4_udp_enabled=0 -### note, can't distinguish between duplicate traffic and application retransmit traffic for IPv6 packets, -### so not support IPv6 original duplicate traffic check. - -[dup_pkt.traffic.inject] - inject_all_enabled=1 - -[dup_pkt.parameters] - bloom_capacity=1000000 - bloom_error_rate=0.00001 - bloom_timeout=10 - -[STREAM] -### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" - stream_id_base_time="2021-01-01 00:00:00" - [stream.tcp] - {% raw %}max={{ advanced_settings.stream_tcp_max }} - timeout={{ advanced_settings.stream_tcp_timeout }} - {% endraw %} - syn_mandatory=1 - reorder_pkt_max=128 - analyse_option_enabled=1 - tuple4_reuse_time_interval=30 - - meaningful_statistics_minimum_pkt=3 - meaningful_statistics_minimum_byte=5 - - [stream.tcp.inject] - link_mss=1460 - - [stream.tcp.inject.rst] - auto_remedy=0 - number=3 - signature_enabled=1 - signature_seed1=65535 - signature_seed2=13 - remedy_kill_tcp_by_inline_device=0 - - [stream.udp] - {% raw %}max={{ advanced_settings.stream_udp_max }} - timeout={{ advanced_settings.stream_udp_timeout }} - {% endraw %} - meaningful_statistics_minimum_pkt=3 - meaningful_statistics_minimum_byte=5 - - -[PROFILING] - [profiling.log] - sapp_log_category="sapp_log" - sapp_plugin_log_category="sapp_plugin_log" - #for profiling-related API control, e.g printaddr - - [profiling.metric] - [profiling.metric.fs2] - enabled=0 - prometheus_port=9273 - prometheus_url_path="/metrics" - local_file="log/fs2_sysinfo.metrics" - refresh_interval_s=1 - - [profiling.metric.fs3] - enabled=0 - prometheus_port=9273 - prometheus_url_path="/metrics" - local_file="log/fs3_sysinfo.metrics" - refresh_interval_s=1 - - [profiling.metric.fs4] - enabled=1 - local_file="./metrics/fs4_sysinfo.json" - refresh_interval_s=1 - app_name="sapp4" - - [profiling.process_latency] - log_category="sapp_process_latency_log" - histogram_enabled=0 - local_file="fs2_process_latency.metrics" - refresh_interval_s=1 -### note, threshold unit is microseconds (us), legal_scope [1,99999999], max value is 99 - threshold_us=1000 -### define in time.h,use CLOCK_MONOTONIC_COARSE as default -### 0 means CLOCK_REALTIME, 1 means CLOCK_MONOTONIC, 2 means CLOCK_PROCESS_CPUTIME_ID, 3 means CLOCK_THREAD_CPUTIME_ID -### 4 means CLOCK_MONOTONIC_RAW, 5 means CLOCK_REALTIME_COARSE, 6 means CLOCK_MONOTONIC_COARSE - clock_gettime_id=6 - - [profiling.sanity_check] - raw_pkt_broken_enabled=0 - symbol_conflict_enabled=0 - -[TOOLS] - [tools.pkt_dump] - enabled=1 -### note, mode options value:[storage, udp_socket] - mode="udp_socket" - BSD_packet_filter="" - - [tools.pkt_dump.threads] -### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted. -### if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index. - all_threads_enabled=1 - -### note, dump_thread_id start from 0, max is CPU.worker_threads-1 - dump_thread_id=[0,1,2,3,4] - - [tools.pkt_dump.udp] - command_port=9345 - pkt_dump_ratio=30 - - [tools.pkt_dump.storage] -### note, file path must be double quotation mark extension, for example, path="/dev/shm/pkt_dump" - path="/dev/shm/pkt_dump" -### note, file size unit: MB - file_size_max_per_thread=10000 - - -[BREAKPAD] -{% raw %}{% if coredump.format == 'none' %} - disable_coredump=1 - enable_breakpad=0 - enable_breakpad_upload=0 -{% endif %} -{% if coredump.format == 'core' %} - disable_coredump=0 - enable_breakpad=0 - enable_breakpad_upload=0 -{% endif %} -{% if coredump.format == 'minidump' %} - disable_coredump=1 - enable_breakpad=1 -{% if coredump.collect == 'sentry' %} - enable_breakpad_upload=1 - breakpad_upload_url="{{ coredump.sentry_url }}" -{% endif %} -{% if coredump.collect == 'local' %} - enable_breakpad_upload=0 -{% endif %} -{% endif %} -{% endraw %} - breakpad_minidump_dir="/run/sapp/crashreport" - breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload" - -### note: -### These configurations format is complex and difficult to describe with toml grammar, -### so, create a independent secondary config file to description specific information. - -[SECONDARY_CONFIG_LINK] - cfg_file_sapp_log="etc/sapp_log.conf" - cfg_file_plug_list="plug/conflist.inf" - cfg_file_project_list="etc/project_list.conf" - cfg_file_entrylist="etc/entrylist.conf" - cfg_file_send_raw_pkt="etc/send_raw_pkt.conf" - cfg_file_vxlan_sport_map="etc/vxlan_sport_service_map.conf" - cfg_file_inline_device="etc/gdev.conf" - cfg_file_necessary_plug_list="etc/necessary_plug_list.conf" - cfg_file_stream_compare_layer="etc/stream_compare_layer.conf" - cfg_file_vlan_flipping="etc/vlan_flipping_map.conf" - cfg_file_asymmetric_addr_layer="etc/asymmetric_addr_layer.conf" - cfg_file_well_known_port="etc/well_known_port.conf" - -[SECONDARY_DATA_LINK] - data_file_sysinfo_log="log/sysinfo.log" - data_file_field_stat_log="log/fs2_sysinfo.log" - data_file_inline_keepalive_log="log/gdev_keeplive_status.log" - -[LIBRARY_LINK] - marsio_library_path="{{ prefix_path.mrzcpd }}/lib/libmarsio.so" - \ No newline at end of file diff --git a/ansible/roles/sapp/templates/sapp_log.conf.j2 b/ansible/roles/sapp/templates/sapp_log.conf.j2 deleted file mode 100644 index 25ac51a8..00000000 --- a/ansible/roles/sapp/templates/sapp_log.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -[global] -default format = "%d(%c), %V, %U, %m%n" -rotate lock file = /tmp/sapp_zlog.lock -file perms = 644 -[levels] -DEBUG=10 -INFO=20 -FATAL=30 -STOP=40 -[formats] -other = "%d(%c), %V, %F, %U, %m%n" -plugin = "%d(%c), %m%n" -[rules] -sapp_log.fatal "./log/runtimelog.%d(%F)" -sapp_plugin_log.fatal >stdout; plugin -sapp_plugin_log.info "./log/plugin.log.%d(%F)"; plugin -sapp_process_latency_log.fatal "./log/sapp_process_latency.log.%d(%F)" -!.fatal "./log/%c.%d(%F)"; other diff --git a/ansible/roles/sapp/templates/sapp_tmpfile.conf.j2 b/ansible/roles/sapp/templates/sapp_tmpfile.conf.j2 deleted file mode 100644 index ab7a05b5..00000000 --- a/ansible/roles/sapp/templates/sapp_tmpfile.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -#Type Path Mode User Group Age Argument -d /var/log/sapp/ 0755 - - 2d - -d /run/sapp/alerts_files/ 0755 - - - - -d /run/sapp/crashreport 0755 - - 30d - -L /opt/tsg/sapp/log - - - - /var/log/sapp -L /opt/tsg/sapp/alerts_files - - - - /run/sapp/alerts_files \ No newline at end of file diff --git a/ansible/roles/sapp/templates/send_raw_pkt.conf.j2 b/ansible/roles/sapp/templates/send_raw_pkt.conf.j2 deleted file mode 100644 index 7d314e0c..00000000 --- a/ansible/roles/sapp/templates/send_raw_pkt.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -#(0:pag,1:pcap,2:dumpfile,3:pfring,4:DPDK,5:ppf,6:NPacket,7:qnf,8:N95,9:pcap-dumpfile-list,10:topsec, -##(11:ipfile, 12:marsio4, 13:agent_smith, 14:dpdk_vxlan, 15:marsio_vxlan, 16:pag_marsio - -#target_id -0 pag p7p2 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ dp_steering_firewall.nic_internal }} smith dpdk dpdk pag -1 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ dp_steering_firewall.nic_internal }} smith dpdk dpdk pag -#2 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag -#3 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag -#4 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag \ No newline at end of file diff --git a/ansible/roles/sapp/templates/service_override_env.conf.j2 b/ansible/roles/sapp/templates/service_override_env.conf.j2 deleted file mode 100644 index 46085d60..00000000 --- a/ansible/roles/sapp/templates/service_override_env.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -Environment="ZLOG_PROFILE_ERROR=/var/log/zlog.error.log" -Environment=HASPUSER_PREFIX=/etc/haspuser/ \ No newline at end of file diff --git a/ansible/roles/sapp/templates/service_override_slice.conf.j2 b/ansible/roles/sapp/templates/service_override_slice.conf.j2 deleted file mode 100644 index db248c50..00000000 --- a/ansible/roles/sapp/templates/service_override_slice.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -Slice=workload.slice \ No newline at end of file diff --git a/ansible/roles/sapp/templates/service_override_timeoutsec.conf.j2 b/ansible/roles/sapp/templates/service_override_timeoutsec.conf.j2 deleted file mode 100644 index 16f5a6c5..00000000 --- a/ansible/roles/sapp/templates/service_override_timeoutsec.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -TimeoutSec=900s \ No newline at end of file diff --git a/ansible/roles/sapp/templates/service_startpre.conf.j2 b/ansible/roles/sapp/templates/service_startpre.conf.j2 deleted file mode 100644 index 5553e725..00000000 --- a/ansible/roles/sapp/templates/service_startpre.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -ExecStartPre=/opt/tsg/sapp/bin/set_shaping_addr.sh \ No newline at end of file diff --git a/ansible/roles/sapp/templates/set_shaping_addr.sh.j2 b/ansible/roles/sapp/templates/set_shaping_addr.sh.j2 deleted file mode 100644 index 82a6a7df..00000000 --- a/ansible/roles/sapp/templates/set_shaping_addr.sh.j2 +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -ex -HOST_IP=$(ip a show {{ control_and_policy.nic_name }} | grep inet | grep -v inet6 | awk '{print $2}' | awk -F '/' '{print $1}') -echo "Log and policy nic ipv4 address:$HOST_IP" -sed -i "s/^SWARMKV_CONSUL_IP.*$/SWARMKV_CONSUL_IP=\"$HOST_IP\"/g" /opt/tsg/sapp/tsgconf/main.conf -sed -i "s/^SWARMKV_CLUSTER_ANNOUNCE_IP.*$/SWARMKV_CLUSTER_ANNOUNCE_IP=\"$HOST_IP\"/g" /opt/tsg/sapp/tsgconf/main.conf diff --git a/ansible/roles/sapp/templates/vlan_flipping_map.conf.j2.j2.7400MCN0P01R01 b/ansible/roles/sapp/templates/vlan_flipping_map.conf.j2.j2.7400MCN0P01R01 deleted file mode 100644 index bf891c0b..00000000 --- a/ansible/roles/sapp/templates/vlan_flipping_map.conf.j2.j2.7400MCN0P01R01 +++ /dev/null @@ -1,19 +0,0 @@ -#for inline a device vlan flipping -#数据包来自C路由器端, 即C2I(I2E)方向, -#数据包来自I路由器端, 即I2C(E2I)方向, -#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计, -#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了. -#配置文件格式, pattern: -#来自C路由器vlan_id 来自I路由器vlan_id 是否开启mac地址翻转 -#C_router_vlan_id I_router_vlan_id mac_flipping_enable -{% raw %}{% if npb_device == 'tera' %} -{% for zone_group in tera_steering_group %} -{{ zone_group.internal.vlan_id }} {{ zone_group.external.vlan_id }} 1 -{% endfor %} -{% endif %} -{% if npb_device == 'direct' %} -1000 1001 0 -2000 2001 0 -{% endif %} -{% endraw %} -4000 4001 0 diff --git a/ansible/roles/sapp/templates/well_known_port.conf.j2 b/ansible/roles/sapp/templates/well_known_port.conf.j2 deleted file mode 100644 index e4bf2c1a..00000000 --- a/ansible/roles/sapp/templates/well_known_port.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# The following ports are considered as server, when creating a new UDP stream or TCP stream without SYN(SYN/ACK) packet. -# You can add other ports according to your needs. -[TCP] -#http -8080 - -[UDP] -#OICQ -8000 diff --git a/ansible/roles/sce/tasks/main.yml b/ansible/roles/sce/tasks/main.yml deleted file mode 100644 index 1d19e43f..00000000 --- a/ansible/roles/sce/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: "download rpm packages: sce" - yum: - name: - - "{{ sce_rpm_version.sce }}" - conf_file: "{{ rpm_repo_config_path }}" - state: present - download_only: yes - download_dir: "{{ path_download }}" - -- name: "Get sce rpm path" - find: - path: /tmp/rpm_download/ - pattern: "{{ sce_rpm_version.sce }}*" - register: sce_rpm_fullname - -- name: "Install sce from local path" - yum: - name: "{{ sce_rpm_fullname.files[0].path }}" - state: present - disable_gpg_check: yes diff --git a/ansible/roles/shaping_engine/tasks/main.yml b/ansible/roles/shaping_engine/tasks/main.yml deleted file mode 100644 index 74918d56..00000000 --- a/ansible/roles/shaping_engine/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: "download rpm packages: shaping_engine" - yum: - name: - - "{{ shaping_engine_rpm_version.shaping_engine }}" - conf_file: "{{ rpm_repo_config_path }}" - state: present - download_only: yes - download_dir: "{{ path_download }}" - -- name: "Get shaping_engine rpm path" - find: - path: /tmp/rpm_download/ - pattern: "{{ shaping_engine_rpm_version.shaping_engine }}*" - register: shaping_engine_rpm_fullname - -- name: "Install shaping_engine from local path" - yum: - name: "{{ shaping_engine_rpm_fullname.files[0].path }}" - state: present - disable_gpg_check: yes - -- name: "install epel-release" - shell: yum install epel-release -y - -- name: "install jemalloc" - shell: yum install jemalloc -y \ No newline at end of file diff --git a/ansible/roles/tfe/files/service_override_Requires.conf b/ansible/roles/tfe/files/service_override_Requires.conf deleted file mode 100644 index 1df551f1..00000000 --- a/ansible/roles/tfe/files/service_override_Requires.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Unit] -Requires=mrzcpd.service -After=network-online.target mrzcpd.service diff --git a/ansible/roles/tfe/files/tfe.service b/ansible/roles/tfe/files/tfe.service deleted file mode 100755 index 745c2d6d..00000000 --- a/ansible/roles/tfe/files/tfe.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=Tango Frontend Engine -Requires=tfe-env.service -After=tfe-env.service - - -[Service] -Type=notify -ExecStart=/opt/tsg/tfe/bin/tfe -WorkingDirectory=/opt/tsg/tfe/ -TimeoutSec=900s -RestartSec=10s -Restart=always -LimitNOFILE=524288 -LimitNPROC=infinity -LimitCORE=infinity -TasksMax=infinity -Delegate=yes -KillMode=process -WatchdogSec=10s - -[Install] -WantedBy=multi-user.target diff --git a/ansible/roles/tfe/files/tsg_diagnose_ca.pem b/ansible/roles/tfe/files/tsg_diagnose_ca.pem deleted file mode 100644 index 65cd3d74..00000000 --- a/ansible/roles/tfe/files/tsg_diagnose_ca.pem +++ /dev/null @@ -1,36 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGWzCCBEOgAwIBAgIJAIEUARRZuqOXMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNV -BAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMRgwFgYD -VQQKDA9EaWFnbm9zZSBCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBSb290IENlcnRp -ZmljYXRlIEF1dGhvcml0eTAeFw0yMTEyMDIwMzU0NDRaFw0zMTExMzAwMzU0NDRa -MHcxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlq -aW5nMRgwFgYDVQQKDA9EaWFnbm9zZSBCYWRTU0wxKjAoBgNVBAMMIUJhZFNTTCBS -b290IENlcnRpZmljYXRlIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -ADCCAgoCggIBAOLd76Ea5epn0NNu5yF6gY1YrzqgFY8PoVP/qaaa+otHooKPqC3t -dwA/jhADP3d6UgS/94rsViGsdawx2jlHLv7TcuJeXMcsZjQAkBVfL5wkEhw5Csr4 -/UmEeLiJiPyj+Dad+Ne7G4qfTv8802HSSBrv6kGcJSsHAzQ1AnzwBaITNmuR3IBE -0vmxulvXyfpsT413z+Ik2N6xp8rI6cINyqNMA356vgM/x79OunE52kTM5ocx7Wd6 -vxUKRpYVPitbhvKvWF45YGkQ0LxnII6PwgnBeA+a0rvdq4XEfEPwyDmQ+H1cdozz -qhPJbTQgX1QL4dgM+erBYKpTjksX65kj89c7DNLdgbS26zDNcyD7oIXmYpwggJOt -J/2zSmN5L79Y8VT0VWlvSv3uTtViTZBPeIsWnT1Ea/sJP6IpjcePLR2MW0GGlcz9 -X97ojp+Ws0I5VFdv77kLeel/2iO3rHPe6xMgJ/7zSre7t0vdwaDzQlsC9FUeDHJS -1SBT4sGfUZs82O8IvvxBSp15eTDlhHcYK/pMgvsC8PDrsiFcehMEh2olXlU/Qi/U -E9lL5Hv6/VmtMS0J0Y7buGfo4iSohVPIYB4Akq/jq3vOsWNIEV686eD8U0JCLxjb -bHkV4WrXJvvElxnB1OnhgF7jfxJgecMUi2bl4VZGWNucRwRmFXGsYsw/AgMBAAGj -gekwgeYwHQYDVR0OBBYEFBPYAnh6x+6Ls7Pv7XLsTJaXOrdaMIGpBgNVHSMEgaEw -gZ6AFBPYAnh6x+6Ls7Pv7XLsTJaXOrdaoXukeTB3MQswCQYDVQQGEwJDTjEQMA4G -A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEYMBYGA1UECgwPRGlhZ25v -c2UgQmFkU1NMMSowKAYDVQQDDCFCYWRTU0wgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRo -b3JpdHmCCQCBFAEUWbqjlzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq -hkiG9w0BAQsFAAOCAgEAtdA6Y3GATG9mOwOj3vyBjWCbTeVgRXomhquAOVIdh6Xl -+GUXlX2K/bcRW1GGi51s/RzNGOqTym7XHzzROJ2XhxnQcWHIqUpCb6IAGwsBxRVe -ruC8lUDcjitHm2BrdJsDnIpWA+iJ/ihuYuTaDwfIipao/NqftneWp+A6XjQ4pYsY -MoTRsk1HxvYGSLE4wKQhTH9JESCx7I8ltYAnF3bQLKfqcwuPvWNR3Vth5rl2bxfk -c7mmgpGjjQCsFZDcBnPxKqc12VPbmJEtsgP945SrwYCZkg1kd+py2kgcvccE5Y3g -sAhWCMNKMwc1Wg3tPNAQvzXZZKtRUOFd/5mcjkq0QWZcDdA1r74DhB2e22KitUok -YCdM0o+45EVMZVMe0QWUIgByz1PObM7IP1oEFEJ0afRc0Ra6scYXUBS7Nnk2UNxX -bsQrD0GdrX4pb7Zg1RJEgUU51UGflQpzyJuvQIjXT3pAk9IDKQUXi6lNiM85OGKn -HJYX48KuYlG7I0zIa7Tfz6rkcCxGsXe8jx5+4zVkul9gVxmmDAQv1jYOPvoXIFQc -TtfSekSxzop+DsMySQHQqjFOHtAYBoWjCLX9FNURJ/yPcsYpMrcrTDVzucPK8utK -jcCDir6QMO0z4heHZyV5alant/MYEquBe0ooCCAhh138HndvwVHjekh/le/lf28= ------END CERTIFICATE----- diff --git a/ansible/roles/tfe/tasks/main.yml b/ansible/roles/tfe/tasks/main.yml deleted file mode 100644 index 50c09f7e..00000000 --- a/ansible/roles/tfe/tasks/main.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -- name: "download rpm packages: tfe" - yum: - name: "{{ item.value }}" - conf_file: "{{ rpm_repo_config_path }}" - state: present - download_only: yes - download_dir: "{{ path_download }}" - with_dict: "{{ tfe_rpm_version }}" - -- name: "copy tfe program to destination server" - copy: - src: "{{ role_path }}/files/" - dest: /tmp/ansible_deploy/ - -- name: "copy tfe.service to destination server" - copy: - src: "{{ role_path }}/files/tfe.service" - dest: /usr/lib/systemd/system/ - mode: 0644 - -- name: "Get tfe rpm final version" - set_fact: - tfe_rpm_final_version: "{{ item.value }}" - when: item.key is search("tfe") - with_dict: "{{ tfe_rpm_version }}" - -- name: "Get tfe rpm path" - find: - path: /tmp/rpm_download/ - pattern: "{{ tfe_rpm_final_version }}*" - register: tfe_rpm_fullname - -- name: "Install tfe from local path" - yum: - name: "{{ tfe_rpm_fullname.files[0].path }}" - state: present - disable_gpg_check: yes - -- name: "tfe:copy cert file to device" - copy: - src: '{{ role_path }}/files/tsg_diagnose_ca.pem' - dest: /opt/tsg/tfe/resource/tfe/ - -- name: "template tfe-env config" - template: - src: "{{ role_path }}/templates/tfe-env-config.j2" - dest: /etc/sysconfig/tfe-env-config - -- name: "move tfe sysctl.conf" - shell: mv /etc/sysctl.d/80-tfe.conf /usr/lib/sysctl.d/80-tfe.conf - when: runtime_env != 'TSG-X-P0906' - -- name: "template the tfe.conf" - template: - src: "{{ role_path }}/templates/tfe.conf.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/tfe.conf.j2 - when: runtime_env != 'TSG-X-P0906' - -- name: "template the zlog.conf" - template: - src: "{{ role_path }}/templates/zlog.conf.j2" - dest: /opt/tsg/tfe/conf/tfe/zlog.conf - -- name: "template the future.conf" - template: - src: "{{ role_path }}/templates/future.conf.j2" - dest: /opt/tsg/tfe/conf/tfe/future.conf - -- name: "create conf/doh/" - file: - path: /opt/tsg/tfe/conf/doh/ - state: directory - -- name: "template the doh.conf" - template: - src: "{{ role_path }}/templates/doh.conf.j2" - dest: /opt/tsg/tfe/conf/doh/doh.conf - -- name: "create a override conf - first step, create dir" - file: - path: /usr/lib/systemd/system/tfe.service.d/ - state: directory - mode: '0755' - -- name: "create a override conf - second step, copy a override service file" - template: - src: "{{ role_path }}/templates/require-mrzcpd.conf.j2" - dest: /usr/lib/systemd/system/tfe.service.d/require-mrzcpd.conf - -- name: "copy slice file to tfe.service.d" - copy: - src: "{{ role_path }}/templates/service_override_slice.conf.j2" - dest: /usr/lib/systemd/system/tfe.service.d/service_override_slice.conf - mode: 0644 - when: runtime_env != 'TSG-X-P0906' - -- name: "copy env file to tfe.service.d" - copy: - src: "{{ role_path }}/templates/service_override_env.conf.j2" - dest: /usr/lib/systemd/system/tfe.service.d/service_override_env.conf - mode: 0644 - -- name: "replace action: replace service WantedBy from multi-user.target to workload.target" - replace: - path: "{{ item }}" - regexp: 'WantedBy=multi-user.target' - replace: 'WantedBy=workload.target' - with_items: - - /usr/lib/systemd/system/tfe-env.service - - /usr/lib/systemd/system/tfe.service - when: runtime_env != 'TSG-X-P0906' - -- name: "template the service_add_StartPostForRps.conf" - template: - src: "{{ role_path }}/templates/service_add_StartPostForRps.conf.j2.j2" - dest: /opt/tsg/tsg-os-provision/templates/service_add_StartPostForRps.conf.j2 - when: runtime_env != 'TSG-X-P0906' - -- name: "add condition into service depend provision result TSG-X-P0906" - copy: - src: "{{ role_path }}/files/service_override_Requires.conf" - dest: "/usr/lib/systemd/system/tfe-env.service.d/" - mode: 0644 - when: runtime_env == 'TSG-X-P0906' - -- name: "template tfe-env shell to dest" - template: - src: "{{ role_path }}/templates/{{ item.src }}" - dest: "/opt/tsg/tfe/{{ item.dest }}" - mode: 0755 - when: runtime_env == 'TSG-X-P0906' - with_items: - - {src: "tfe-env-start.sh.j2", dest: "tfe-env-start.sh" } - - {src: "tfe-env-stop.sh.j2", dest: "tfe-env-stop.sh" } - -##################### tfe ##################### -- name: "enable tfe-env" - systemd: - name: tfe-env - enabled: yes - -- name: "enable tfe" - systemd: - name: tfe - enabled: yes diff --git a/ansible/roles/tfe/templates/doh.conf.j2 b/ansible/roles/tfe/templates/doh.conf.j2 deleted file mode 100755 index 22e9fbaf..00000000 --- a/ansible/roles/tfe/templates/doh.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[doh] -enable=1 - -[maat] -table_appid=ATTR_APP_ID -table_qname=ATTR_DOH_QNAME -table_host=ATTR_SERVER_FQDN - -[kafka] -ENTRANCE_ID=0 -# if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1 -en_sendlog=1 diff --git a/ansible/roles/tfe/templates/future.conf.j2 b/ansible/roles/tfe/templates/future.conf.j2 deleted file mode 100755 index 3f3c1c73..00000000 --- a/ansible/roles/tfe/templates/future.conf.j2 +++ /dev/null @@ -1,15 +0,0 @@ -[STAT] -no_stats=0 -{% if dp_steering_proxy.location == 'foreign' %} -statsd_server=192.168.100.1 -{% endif %} -{% if dp_steering_proxy.location == 'local' %} -statsd_server=127.0.0.1 -{% endif %} -statsd_port=8100 -histogram_bins=0.50,0.80,0.9,0.95 -statsd_cycle=5 -# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2 -statsd_format=2 -# printf diff Not available -# print_diff=1 diff --git a/ansible/roles/tfe/templates/require-mrzcpd.conf.j2 b/ansible/roles/tfe/templates/require-mrzcpd.conf.j2 deleted file mode 100644 index 0e69c7e2..00000000 --- a/ansible/roles/tfe/templates/require-mrzcpd.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[Unit] -Wants=mrzcpd.service -After=tfe-env.service mrzcpd.service diff --git a/ansible/roles/tfe/templates/service_add_StartPostForRps.conf.j2.j2 b/ansible/roles/tfe/templates/service_add_StartPostForRps.conf.j2.j2 deleted file mode 100644 index c16e99b3..00000000 --- a/ansible/roles/tfe/templates/service_add_StartPostForRps.conf.j2.j2 +++ /dev/null @@ -1,4 +0,0 @@ -[Service] -{% raw %}{% for i in range( tfe_env_rps_info.rps_size ) %} -ExecStartPost=/bin/sh -c "echo {{tfe_env_rps_info.rps_mask}} > /sys/class/net/${TFE_DEVICE_DATA_INCOMING}/queues/rx-{{i}}/rps_cpus" -{% endfor %}{% endraw %} diff --git a/ansible/roles/tfe/templates/service_override_env.conf.j2 b/ansible/roles/tfe/templates/service_override_env.conf.j2 deleted file mode 100644 index 2119b2a7..00000000 --- a/ansible/roles/tfe/templates/service_override_env.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -Environment=HASPUSER_PREFIX=/etc/haspuser/ \ No newline at end of file diff --git a/ansible/roles/tfe/templates/service_override_slice.conf.j2 b/ansible/roles/tfe/templates/service_override_slice.conf.j2 deleted file mode 100644 index db248c50..00000000 --- a/ansible/roles/tfe/templates/service_override_slice.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -Slice=workload.slice \ No newline at end of file diff --git a/ansible/roles/tfe/templates/tfe-env-config.j2 b/ansible/roles/tfe/templates/tfe-env-config.j2 deleted file mode 100644 index 7674480b..00000000 --- a/ansible/roles/tfe/templates/tfe-env-config.j2 +++ /dev/null @@ -1,5 +0,0 @@ -TFE_DEVICE_DATA_INCOMING={{ dp_proxy.nic_name_data_incoming }} -TFE_LOCAL_MAC_DATA_INCOMING=fe:65:b7:03:50:bd -TFE_PEER_MAC_DATA_INCOMING={{ dp_proxy.mac_addr_data_incoming }} -TFE_LOCAL_IP_DATA_INCOMING=172.16.241.2 -TFE_PEER_IP_DATA_INCOMING=172.16.241.1 diff --git a/ansible/roles/tfe/templates/tfe-env-start.sh.j2 b/ansible/roles/tfe/templates/tfe-env-start.sh.j2 deleted file mode 100644 index 9763cc99..00000000 --- a/ansible/roles/tfe/templates/tfe-env-start.sh.j2 +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -ex - -/usr/sbin/ip link set tap0 address fe:65:b7:03:50:bd -/usr/sbin/ip link set tap0 up -/usr/sbin/ip addr flush dev tap0 -/usr/sbin/ip addr add 172.16.241.2/30 dev tap0 -/usr/sbin/ip neigh flush dev tap0 -/usr/sbin/ip neigh add 172.16.241.1 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent -/usr/sbin/ip6tables -A INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 -/usr/sbin/iptables -A INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 - - -/usr/sbin/ip rule add iif tap0 tab 100 -/usr/sbin/ip route add local default dev lo table 100 -/usr/sbin/ip rule add fwmark 0x65 lookup 101 -/usr/sbin/ip route add default dev tap0 via 172.16.241.1 table 101 - -/usr/sbin/ip addr add fd00::02/64 dev tap0 -/usr/sbin/ip -6 route add default via fd00::01 -/usr/sbin/ip -6 rule add iif tap0 tab 102 -/usr/sbin/ip -6 route add local default dev lo table 102 -/usr/sbin/ip -6 neigh add fd00::01 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent diff --git a/ansible/roles/tfe/templates/tfe-env-stop.sh.j2 b/ansible/roles/tfe/templates/tfe-env-stop.sh.j2 deleted file mode 100644 index 468889c8..00000000 --- a/ansible/roles/tfe/templates/tfe-env-stop.sh.j2 +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -ex -/usr/sbin/ip6tables -D INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 -/usr/sbin/iptables -D INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 -/usr/sbin/ip rule del iif tap0 tab 100 -/usr/sbin/ip route del local default dev lo table 100 -/usr/sbin/ip rule del fwmark 0x65 lookup 101 -/usr/sbin/ip route del default dev tap0 via 172.16.241.1 table 101 -/usr/sbin/ip -6 rule del iif tap0 tab 102 -/usr/sbin/ip -6 route del default via fd00::01 -/usr/sbin/ip -6 route del local default dev lo table 102 -/usr/sbin/ip addr del fd00::02/64 dev tap0 -/usr/sbin/ip link set tap0 down diff --git a/ansible/roles/tfe/templates/tfe.conf.j2.j2 b/ansible/roles/tfe/templates/tfe.conf.j2.j2 deleted file mode 100644 index a0bdc750..00000000 --- a/ansible/roles/tfe/templates/tfe.conf.j2.j2 +++ /dev/null @@ -1,269 +0,0 @@ -[system] -nr_worker_threads={{ workload_proxy.worker_thread }} -enable_kni_v1=0 -enable_kni_v2=0 -enable_kni_v3=1 - -# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally - -{% raw %}{% if coredump.format == 'none' %} -disable_coredump=1 -enable_breakpad=0 -enable_breakpad_upload=0 -{% endif %} -{% if coredump.format == 'core' %} -disable_coredump=0 -enable_breakpad=0 -enable_breakpad_upload=0 -{% endif %} -{% if coredump.format == 'minidump' %} -disable_coredump=1 -enable_breakpad=1 -{% if coredump.collect == 'sentry' %} -enable_breakpad_upload=1 -breakpad_upload_url={{ coredump.sentry_url }} -{% endif %} -{% if coredump.collect == 'local' %} -enable_breakpad_upload=0 -{% endif %} -{% endif %} -{% endraw %} -# must be /run/tfe/crashreport,due to tmpfile limit -breakpad_minidump_dir=/run/tfe/crashreport -breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload - -# ask for at least (1 + nr_worker_threads) masks -# the first mask for acceptor thread -# the others mask for worker thread -enable_cpu_affinity={{ workload_proxy.enable_cpu_affinity }} -cpu_affinity_mask={{ workload_proxy.cpu_affinity }} - -# LEAST_CONN = 0; ROUND_ROBIN = 1 -load_balance=1 - -# for enable kni v3 -[nfq] -queue_id=1 -queue_maxlen=655350 -queue_rcvbufsiz=983025000 -queue_no_enobufs=1 - -[kni] -# kni v1 -#uxdomain=/var/run/.tfe_kni_acceptor_handler -# kni v2 -#scm_socket_file=/var/run/.tfe_kmod_scm_socket - -# send cmsg -send_switch=1 -{% if dp_steering_proxy.location == 'local' %} -ip=127.0.0.1 -{% endif %} -{% if dp_steering_proxy.location == 'foreign'%} -ip=192.168.100.1 -{% endif %} -cmsg_port=2475 - -# watch dog -watchdog_switch=1 -watchdog_port=2476 - -[watchdog_tfe] -# The worker thread updates the timestamp every two seconds -# The watchdog thread checks the timestamp every second -enable=1 -timeout_seconds=5 -statistics_window=20 -timeout_cnt_as_fail=3 -timeout_debug=0 - -[ssl] -ssl_debug=0 -ssl_ja3_table=PXY_SSL_FINGERPRINT -# ssl version Not available, configured via TSG website -# ssl_max_version=tls13 -# ssl_min_version=ssl3 -ssl_compression=1 -no_ssl2=1 -no_ssl3=0 -no_tls10=0 -no_tls11=0 -no_tls12=0 -default_ciphers=ALL:-aNULL -no_cert_verify=0 - -# session ticket -no_session_ticket=0 -stek_group_num=4096 -stek_rotation_time=3600 - -# session cache -no_session_cache=0 -session_cache_slots=4194304 -session_cache_expire_seconds=1800 - -# service cache -service_cache_slots=4194304 -service_cache_expire_seconds=300 -service_cache_fail_as_pinning_cnt=4 -service_cache_fail_as_proto_err_cnt=5 -#service_cache_succ_as_app_not_pinning_cnt=0 -service_cache_fail_time_window=30 - -# cert -check_cert_crl=0 -trusted_cert_load_local=1 -trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem -trusted_cert_dir=resource/tfe/trusted_storage - -# master key -log_master_key=0 -key_log_file=log/sslkeylog.log - -# mid cert cache -mc_cache_enable=1 - -[key_keeper] -#Mode: debug - generate cert with ca_path, normal - generate cert with cert store -#0 on cache 1 off cache -no_cache=0 -mode=normal -{% if dp_certstore.location == 'local' %} -cert_store_host=127.0.0.1 -{% endif %} -{% if dp_certstore.location == 'foreign'%} -cert_store_host=192.168.100.1 -{% endif %} -cert_store_port=9991 -ca_path=resource/tfe/tango-ca-v3-trust-ca.pem -untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem -hash_slot_size=131072 -hash_expire_seconds=300 -cert_expire_time=24 - -# health_check only for "mode=normal" default 1 -enable_health_check=1 - -[tsg_http] -enable_plugin=1 -en_sendlog=1 - -[debug] -# 1 : enforce tcp passthrough -# 0 : Whether to passthrough depends on the tcp_options in cmsg -passthrough_all_tcp=0 - -[ratelimit] -read_rate=0 -read_burst=0 -write_rate=0 -write_burst=0 - -[tcp] -# read rcv_buff/snd_buff options from tfe conf -sz_rcv_buffer=-1 -sz_snd_buffer=-1 - -# 1 : use tcp_options in tfe.conf -# 0 : use tcp_options in cmsg -enable_overwrite=0 -tcp_nodelay=1 -so_keepalive=1 -tcp_keepcnt=8 -tcp_keepintvl=15 -tcp_keepidle=30 -tcp_user_timeout=600 -tcp_ttl_upstream=75 -tcp_ttl_downstream=70 - -[stat] -{% if dp_steering_proxy.location == 'foreign' %} -statsd_server=192.168.100.1 -{% endif %} -{% if dp_steering_proxy.location == 'local' %} -statsd_server=127.0.0.1 -{% endif %} -statsd_port=8900 -statsd_cycle=5 -# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE -statsd_format=2 -histogram_bins=0.5,0.8,0.9,0.95 -statsd_set_prometheus_port=9001 -statsd_set_prometheus_url_path=/metrics - -[traffic_mirror] -enable={{ dp_proxy.enable_traffic_mirror }} -device={{ dp_traffic_mirror.nic_name }} -# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO -type={{ dp_proxy.traffic_mirror_type }} - -table_info=resource/pangu/table_info_traffic_mirror.conf -stat_file=log/traffic_mirror.status -default_vlan_id={{ dp_traffic_mirror.traffic_mirror_vlan_id }} - -[kafka] -enable=1 -NIC_NAME={{ control_and_policy.nic_name }} -{% raw %}kafka_brokerlist={{ olap.kafka_broker.address_list | join(",") }} -{% endraw %} -logger_send_topic=PROXY-EVENT -file_bucket_topic=TRAFFIC-FILE-STREAM-RECORD -mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT -sasl_username=admin -sasl_passwd=galaxy2019 -device_id_filepath=/opt/tsg/etc/tsg_sn.json -vsystem_id={% raw %}{{ vsys_id }} -{% endraw %} - -[maat] -# 0:json 1:redis 2:iris -maat_input_mode=1 -stat_switch=1 -perf_switch=1 -table_info=resource/pangu/table_info.conf -accept_path=/opt/tsg/etc/tsg_device_tag.json -stat_file=log/pangu_scan.fs2 -effect_interval_s=1 -deferred_load_on=0 - -# json mode conf iterm -json_cfg_file=resource/pangu/pangu_http.json - -# redis mode conf iterm -maat_redis_server={% raw %}{{ cm_policy_server_ip }} -{% endraw %} -maat_redis_port_range={% raw %}{{ cm_policy_server_port }} -{% endraw %} -{% raw %}maat_redis_db_index={{ vsys_id }} -{% endraw %} - -# iris mode conf iterm -full_cfg_dir=pangu_policy/full/index/ -inc_cfg_dir=pangu_policy/inc/index/ -accept_tag_key=data_center - -[proxy_hits] -cycle=1000 -telegraf_port=8900 -{% if dp_steering_proxy.location == 'local' %} -telegraf_ip=127.0.0.1 -{% endif %} -{% if dp_steering_proxy.location == 'foreign'%} -telegraf_ip=192.168.100.1 -{% endif %} -app_name="proxy_rule_hits" - -[traffic_steering] -enable_steering_http=0 -enable_steering_ssl=0 -# 17: 0x11 -so_mask_client=17 -# 34: 0x22 -so_mask_server=34 -device_client=tap_c -device_server=tap_s - -http_keepalive_enable=0 -http_keepalive_path="/metrics" -http_keepalive_addr=192.168.41.60 -http_keepalive_port=9273 diff --git a/ansible/roles/tfe/templates/zlog.conf.j2 b/ansible/roles/tfe/templates/zlog.conf.j2 deleted file mode 100644 index af2f626f..00000000 --- a/ansible/roles/tfe/templates/zlog.conf.j2 +++ /dev/null @@ -1,24 +0,0 @@ -# kill -s SIGHUP "pid" - -[global] - -default format = "%d(%c), %t, %V, %F, %U, %m%n" -rotate lock file = /tmp/tfe_zlog.lock -file perms = 644 - -[levels] - -DEBUG=10 -INFO=20 -FATAL=30 -#DISABLE=40 - -[rules] - -*.fatal "./log/error.log.%d(%F)"; -tfe.fatal "./log/tfe.log.%d(%F)"; -http.fatal "./log/http.log.%d(%F)"; -http2.fatal "./log/http2.log.%d(%F)"; -doh.fatal "./log/doh_pxy.log.%d(%F)"; -tsg_http.fatal "./log/tsg_http_pxy.log.%d(%F)"; -packet_io.fatal "./log/packet_io.log.%d(%F)"; \ No newline at end of file diff --git a/ansible/roles/tsg-cm/files/tsg-cm-chart-0.1.0.tgz b/ansible/roles/tsg-cm/files/tsg-cm-chart-0.1.0.tgz deleted file mode 100644 index 7237c6de..00000000 Binary files a/ansible/roles/tsg-cm/files/tsg-cm-chart-0.1.0.tgz and /dev/null differ diff --git a/ansible/roles/tsg-cm/tasks/main.yml b/ansible/roles/tsg-cm/tasks/main.yml deleted file mode 100644 index c3fd0656..00000000 --- a/ansible/roles/tsg-cm/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: "testing tsg-cm role" - shell: echo "testing" \ No newline at end of file