diff --git a/ansible/roles/traffic-engine/files/helm/.helmignore b/ansible/roles/traffic-engine/files/helm/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/ansible/roles/traffic-engine/files/helm/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/ansible/roles/traffic-engine/files/helm/Chart.yaml b/ansible/roles/traffic-engine/files/helm/Chart.yaml deleted file mode 100644 index f2094de0..00000000 --- a/ansible/roles/traffic-engine/files/helm/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: traffic-engine -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" diff --git a/ansible/roles/traffic-engine/files/helm/charts/.gitkeep b/ansible/roles/traffic-engine/files/helm/charts/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/ansible/roles/traffic-engine/files/helm/conf/cert_store.ini b/ansible/roles/traffic-engine/files/helm/conf/cert_store.ini deleted file mode 100644 index 66e90710..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/cert_store.ini +++ /dev/null @@ -1,55 +0,0 @@ -[SYSTEM] -#1:print on screen, 0:don't -DEBUG_SWITCH = 1 -RUN_LOG_PATH = "conf/zlog.conf" - -[breakpad] - disable_coredump=0 - enable_breakpad=0 - enable_breakpad_upload=0 - breakpad_minidump_dir="/run/certstore/crashreport" - breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload" -[CONFIG] -#Number of running threads -thread-nu = 4 -#1 rsync, 0 sync -mode=1 -#Local default root certificate is valid for 30 days by default -expire_after = 30 -#Local default root certificate path -local_debug = 1 -ca_path = ./cert/tsg-ca-v3-trust-ca.pem -untrusted_ca_path = ./cert/tsg-ca-v3-untrust-ca.pem - -[MAAT] -#Configure the load mode, -#1: using local json -#2: using Redis reads -maat_json_switch=2 -#When the loading mode is sent to the network, set the scanning configuration modification interval (s). -effective_interval=1 -#Specify the location of the configuration library table file -table_info=./conf/table_info.conf -#Json file path when json schema is used -pxy_obj_keyring=./conf/pxy_obj_keyring.json - -[LIBEVENT] -#Local monitor port number, default is 9991 -port = 9991 - -[CERTSTORE_REDIS] -#The Redis server IP address and port number where the certificate is stored locally -ip = 127.0.0.1 -port = 6379 - -[MAAT_REDIS] -#Maat monitors the Redsi server IP address and port number - -ip = {{- include "traffic-engine.global.cm.server-ip" . }} -port = {{- include "traffic-engine.global.cm.server-port" . }} -dbindex = {{ .Values.vsys_id }} -[stat] -statsd_server=127.0.0.1 -statsd_port=8100 -statsd_set_prometheus_port=9002 -statsd_set_prometheus_url_path=/metrics diff --git a/ansible/roles/traffic-engine/files/helm/conf/certstore_log.conf b/ansible/roles/traffic-engine/files/helm/conf/certstore_log.conf deleted file mode 100644 index f5943dd7..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/certstore_log.conf +++ /dev/null @@ -1,11 +0,0 @@ -[global] -default format = "%d(%c), %V, %F, %U, %m%n" -rotate lock file = /tmp/certstore_zlog.lock -file perms = 644 -[levels] -DEBUG=10 -INFO=20 -FATAL=30 -[rules] -*.fatal "./logs/error.log.%d(%F)", 500M ~ "./logs/error.log.%d(%F).#2s"; -*.fatal "./logs/certstore.log.%d(%F)", 500M ~ "./logs/certstore.log.%d(%F).#2s"; diff --git a/ansible/roles/traffic-engine/files/helm/conf/conflist.inf b/ansible/roles/traffic-engine/files/helm/conf/conflist.inf deleted file mode 100644 index 74a2116e..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/conflist.inf +++ /dev/null @@ -1,55 +0,0 @@ -[platform] -./plug/stellar_on_sapp/start_loader.inf - -[protocol] -{{- if eq .Values.decoders.SOCKS .Values.define_enable_val_yes }} -./plug/protocol/deal_socks/deal_socks.inf -{{- end }} -{{- if eq .Values.decoders.SIP .Values.define_enable_val_yes }} -./plug/protocol/sip/sip.inf -{{- end }} -{{- if eq .Values.decoders.RTP .Values.define_enable_val_yes }} -./plug/protocol/rtp/rtp.inf -{{- end }} -{{- if eq .Values.decoders.SSL .Values.define_enable_val_yes }} -./plug/protocol/ssl/ssl.inf -{{- end }} -{{- if eq .Values.decoders.HTTP .Values.define_enable_val_yes }} -./plug/protocol/http/http.inf -{{- end }} -{{- if eq .Values.decoders.DNS .Values.define_enable_val_yes }} -./plug/protocol/dns/dns.inf -{{- end }} -{{- if eq .Values.decoders.MAIL .Values.define_enable_val_yes }} -./plug/protocol/mail/mail.inf -{{- end }} -{{- if eq .Values.decoders.FTP .Values.define_enable_val_yes }} -./plug/protocol/ftp/ftp.inf -{{- end }} -{{- if eq .Values.decoders.QUIC .Values.define_enable_val_yes }} -./plug/protocol/quic/quic.inf -{{- end }} -./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf -{{- if eq .Values.decoders.SSH .Values.define_enable_val_yes }} -./plug/protocol/ssh/ssh.inf -{{- end }} -{{- if eq .Values.decoders.STRATUM .Values.define_enable_val_yes }} -./plug/protocol/stratum/stratum.inf -{{- end }} -{{- if eq .Values.decoders.RDP .Values.define_enable_val_yes }} -./plug/protocol/rdp/rdp.inf -{{- end }} -{{- if eq .Values.decoders.DTLS .Values.define_enable_val_yes }} -./plug/protocol/dtls/dtls.inf -{{- end }} - -[business] -{{- if eq .Values.firewall.enable .Values.define_enable_val_yes }} -./plug/business/firewall/firewall.inf -{{- end }} -./plug/stellar_on_sapp/defer_loader.inf -./plug/business/http_healthcheck/http_healthcheck.inf - -{{- if eq .Values.decoders.SSL .Values.define_enable_val_yes }} -./plug/protocol/ssl/ssl_defer.inf -{{- end }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/conf/firewall.inf b/ansible/roles/traffic-engine/files/helm/conf/firewall.inf deleted file mode 100644 index 2d21f069..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/firewall.inf +++ /dev/null @@ -1,77 +0,0 @@ -[PLUGINFO] -PLUGNAME=FIREWEALL -SO_PATH=./plug/business/firewall/firewall.so -INIT_FUNC=firewall_init -DESTROY_FUNC=firewall_destory - -{{- if eq .Values.decoders.HTTP .Values.define_enable_val_yes }} -[HTTP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_http_plug_entry -{{- end }} - -{{- if eq .Values.decoders.SSL .Values.define_enable_val_yes }} -[SSL] -FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL -FUNC_NAME=firewall_ssl_plug_entry -{{- end }} - -{{- if eq .Values.decoders.DNS .Values.define_enable_val_yes }} -[DNS] -FUNC_FLAG=ALL -FUNC_NAME=firewall_dns_plug_entry -{{- end }} - -{{- if eq .Values.decoders.MAIL .Values.define_enable_val_yes }} -[MAIL] -FUNC_FLAG=ALL -FUNC_NAME=firewall_mail_plug_entry -{{- end }} - -{{- if eq .Values.decoders.RTP .Values.define_enable_val_yes }} -[RTP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_rtp_plug_entry -{{- end }} - -{{- if eq .Values.decoders.SIP .Values.define_enable_val_yes }} -[SIP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_sip_plug_entry -{{- end }} - -{{- if eq .Values.decoders.FTP .Values.define_enable_val_yes }} -[FTP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_ftp_plug_entry -{{- end }} - -{{- if eq .Values.decoders.QUIC .Values.define_enable_val_yes }} -[QUIC] -FUNC_FLAG=QUIC_CLIENT_HELLO,QUIC_SERVER_HELLO,QUIC_CACHED_CERT,QUIC_COMM_CERT,QUIC_CERT_CHAIN,QUIC_VERSION,QUIC_APPLICATION_DATA -FUNC_NAME=firewall_quic_plug_entry -{{- end }} - -{{- if eq .Values.decoders.DTLS .Values.define_enable_val_yes }} -[DTLS] -FUNC_FLAG=ALL -FUNC_NAME=firewall_dtls_plug_entry -{{- end }} - -{{- if eq .Values.decoders.STRATUM .Values.define_enable_val_yes }} -[STRATUM] -FUNC_FLAG=ALL -FUNC_NAME=firewall_stratum_plug_entry -{{- end }} - -{{- if eq .Values.decoders.RDP .Values.define_enable_val_yes }} -[RDP] -FUNC_FLAG=ALL -FUNC_NAME=firewall_rdp_plug_entry -{{- end }} - -{{- if eq .Values.decoders.SSH .Values.define_enable_val_yes }} -[SSH] -FUNC_FLAG=ALL -FUNC_NAME=firewall_ssh_plug_entry -{{- end }} diff --git a/ansible/roles/traffic-engine/files/helm/conf/firewall_l7_protocol.conf b/ansible/roles/traffic-engine/files/helm/conf/firewall_l7_protocol.conf deleted file mode 100644 index 4020ac6e..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/firewall_l7_protocol.conf +++ /dev/null @@ -1,61 +0,0 @@ -#TYPE:1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET -#TYPE FIELD VALUE -#STRING UNCATEGORIZED 8000 -#STRING UNCATEGORIZED 8001 -#STRING UNKNOWN_OTHER 8002 -STRING DNS 32 -STRING FTP 45 -STRING FTPS 751 -STRING HTTP 67 -STRING HTTPS 68 -STRING ICMP 70 -STRING IKE 8003 -STRING MAIL 8004 -STRING IMAP 75 -STRING IMAPS 76 -STRING IPSEC 85 -STRING XMPP 94 -STRING L2TP 98 -STRING NTP 137 -STRING POP3 147 -STRING POP3S 148 -STRING PPTP 153 -STRING QUIC 2521 -STRING SIP 182 -STRING SMB 185 -STRING SMTP 186 -STRING SMTPS 187 -STRING SPDY 1469 -STRING SSH 198 -STRING SSL 199 -STRING SOCKS 8005 -STRING TELNET 209 -STRING DHCP 29 -STRING RADIUS 158 -STRING OPENVPN 336 -STRING STUN 201 -STRING TEREDO 555 -STRING DTLS 1291 -STRING DoH 8006 -STRING ISAKMP 92 -STRING MDNS 3835 -STRING NETBIOS 129 -STRING NETFLOW 130 -STRING RDP 159 -STRING RTCP 174 -STRING RTP 175 -STRING SLP 8007 -STRING SNMP 190 -STRING SSDP 197 -STRING TFTP 211 -STRING BJNP 2481 -STRING LDAP 100 -STRING RTMP 337 -STRING RTSP 176 -STRING ESNI 8008 -STRING Stratum 8169 -STRING QQ 156 -STRING WeChat 1296 -STRING WIREGUARD 3700 -STRING MMS 115 -STRING RSYNC 173 \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/conf/firewall_logger_transmitter_schema.json b/ansible/roles/traffic-engine/files/helm/conf/firewall_logger_transmitter_schema.json deleted file mode 100644 index f5df2bee..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/firewall_logger_transmitter_schema.json +++ /dev/null @@ -1,378 +0,0 @@ -{ - {{- if eq .Values.firewall.logs.enable .Values.define_enable_val_yes }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "channel_list": [ - {{- if eq .Values.external_resources.olap.udp_collectors.enable .Values.define_enable_val_yes }} - { - "channel": "udpsock", - "collector": "{{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.udp_collectors.addresses ",") }}" - }, - {{- end }} - { - "channel": "kafka", - "broker_list": "{{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.kafka_brokers.addresses ",") }}", - "sasl_username": "{{ .Values.external_resources.olap.kafka_brokers.sasl_username }}", - "sasl_password": "{{ .Values.external_resources.olap.kafka_brokers.sasl_password }}", - "compression": "snappy", - "refresh_interval_ms": "600000", - "send_queue_max_msg": "1000000", - "required_acks": "1" - } - ], - "format_list": [ - "json", - "ipfix", - "mpack" - ], - "ringbuff": { - "size": {{ .Values.firewall.logs.ringbuf.size }}, - "num": 2 - }, - "transmitter_list": [ - {{- if eq .Values.external_resources.olap.udp_collectors.enable .Values.define_enable_val_yes }} - { - "switch": "on", - "async": "off", - "name": "IPFIX-TEMPLATE", - "topic": "IPFIX-TEMPLATE", - "mode": [ - { - "channel": "udpsock", - "format": [ - "ipfix" - ] - } - ] - }, - {{- end }} - { - {{- if eq .Values.session_record.enable .Values.define_enable_val_yes }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "SESSION-RECORD", - "topic": "SESSION-RECORD", - "client_id": "SESSION-RECORD", - "mode": [ - {{- if eq .Values.external_resources.olap.udp_collectors.enable .Values.define_enable_val_yes }} - { - "channel": "udpsock", - "format": [ - "ipfix" - ] - }, - {{- end }} - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - {{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_http }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "HTTP-TRANSACTION-RECORD", - "topic": "TRANSACTION-RECORD", - "client_id": "TRANSACTION-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - {{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_mail }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "MAIL-TRANSACTION-RECORD", - "topic": "TRANSACTION-RECORD", - "client_id": "TRANSACTION-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - {{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_dns }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "DNS-TRANSACTION-RECORD", - "topic": "TRANSACTION-RECORD", - "client_id": "TRANSACTION-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - {{- if eq .Values.define_enable_val_yes .Values.voip_record.enable_sip }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "SIP-VOIP-RECORD", - "topic": "VOIP-RECORD", - "client_id": "VOIP-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - {{- if eq .Values.define_enable_val_yes .Values.voip_record.enable_rtp }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "RTP-VOIP-RECORD", - "topic": "VOIP-RECORD", - "client_id": "VOIP-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - {{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "POLICY-PACKET-TRAFFIC-FILE-STREAM-RECORD", - "topic": "TRAFFIC-POLICY-CAPTURE-FILE-STREAM-RECORD", - "client_id": "TRAFFIC-POLICY-CAPTURE-FILE-STREAM-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "mpack" - ] - } - ] - }, - { - {{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "HTTP-REQ-BODY-TRAFFIC-FILE-STREAM-RECORD", - "topic": "TRAFFIC-HTTP-FILE-STREAM-RECORD", - "client_id": "TRAFFIC-HTTP-FILE-STREAM-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "mpack" - ] - } - ] - }, - { - {{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "HTTP-RES-BODY-TRAFFIC-FILE-STREAM-RECORD", - "topic": "TRAFFIC-HTTP-FILE-STREAM-RECORD", - "client_id": "TRAFFIC-HTTP-FILE-STREAM-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "mpack" - ] - } - ] - }, - { - {{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "MAIL-EML-TRAFFIC-FILE-STREAM-RECORD", - "topic": "TRAFFIC-EML-FILE-STREAM-RECORD", - "client_id": "TRAFFIC-EML-FILE-STREAM-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "mpack" - ] - } - ] - }, - { - {{- if eq .Values.file_stream_record.enable .Values.define_enable_val_yes }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "RTP-PACKET-TRAFFIC-FILE-STREAM-RECORD", - "topic": "TRAFFIC-RTP-FILE-STREAM-RECORD", - "client_id": "TRAFFIC-RTP-FILE-STREAM-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "mpack" - ] - } - ] - }, - { - {{- if eq .Values.define_enable_val_yes .Values.packet_capture.enable }} - "switch": "on", - {{- else }} - "switch": "off", - {{- end }} - "async": "on", - "name": "TROUBLESHOOTING-FILE-STREAM-RECORD", - "topic": "TROUBLESHOOTING-FILE-STREAM-RECORD", - "client_id": "TROUBLESHOOTING-FILE-STREAM-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "mpack" - ] - } - ] - }, - { - "switch": "on", - "async": "off", - "name": "DOS-SKETCH-RECORD", - "topic": "DOS-SKETCH-RECORD", - "client_id": "DOS-SKETCH-RECORD", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - "switch": "on", - "async": "off", - "name": "POLICY-RULE-METRIC", - "topic": "POLICY-RULE-METRIC", - "client_id": "POLICY-RULE-METRIC", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - "switch": "on", - "async": "off", - "name": "NETWORK-TRAFFIC-METRIC", - "topic": "NETWORK-TRAFFIC-METRIC", - "client_id": "NETWORK-TRAFFIC-METRIC", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - "switch": "on", - "async": "off", - "name": "TRAFFIC-TOP-METRIC", - "topic": "TRAFFIC-TOP-METRIC", - "client_id": "TRAFFIC-TOP-METRIC", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - "switch": "on", - "async": "off", - "name": "STATISTICS-RULE-METRIC", - "topic": "STATISTICS-RULE-METRIC", - "client_id": "STATISTICS-RULE-METRIC", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - }, - { - "switch": "on", - "async": "off", - "name": "OBJECT-STATISTICS-METRIC", - "topic": "OBJECT-STATISTICS-METRIC", - "client_id": "OBJECT-STATISTICS-METRIC", - "mode": [ - { - "channel": "kafka", - "format": [ - "json" - ] - } - ] - } - ] -} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/conf/gdev.conf b/ansible/roles/traffic-engine/files/helm/conf/gdev.conf deleted file mode 100644 index a6e3796a..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/gdev.conf +++ /dev/null @@ -1,5 +0,0 @@ -[Module] -pcapdevice={{ .Values.nic_raw_name }} -sendto_gdev_card={{ .Values.nic_raw_name }} -sendto_gdev_ip={{ .Values.etherfabric_settings.keepalive.ip }} -gdev_status_switch=1 diff --git a/ansible/roles/traffic-engine/files/helm/conf/http_main.conf b/ansible/roles/traffic-engine/files/helm/conf/http_main.conf deleted file mode 100644 index 6fcafbd8..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/http_main.conf +++ /dev/null @@ -1,37 +0,0 @@ -[FUNCTION] -switch_no_biz=1 - -#0 means close stat -stat_cycle=0 -#stat output screen 0: screen 1: file -stat_screen_print=0 -stat_file=./log/http/http_stat.log - -#ungzip -{{- if eq .Values.decoders.HTTP_GZIP .Values.define_enable_val_yes }} -ungzip_switch=1 -{{- else }} -ungzip_switch=0 -{{- end }} - -#support proxy -proxy_switch=1 - -#single-way traffic need http session num, 0 means no this function -singleway_maxseq=2 - -#0: field callback mode(default) 1:batch callback mode -callback_mode=0 - -#batch field maxnum when http_all or http_other -batch_field_maxnum=32 - -#check HEAD when s2c one-way -s2c_head_check_switch=1 - -[LOG] -#FATAL:wrong info -#INFO: lostlen; special proc ;proxy info -#DEBUG: pending and close info; all url; -log_level=30 -log_path=./log/http/runtime diff --git a/ansible/roles/traffic-engine/files/helm/conf/maat.conf b/ansible/roles/traffic-engine/files/helm/conf/maat.conf deleted file mode 100644 index e037f40a..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/maat.conf +++ /dev/null @@ -1,41 +0,0 @@ -[CM_STATIC_MAAT] -###file, json, redis -MAAT_MODE=redis -STAT_SWITCH=1 -PERF_SWITCH=0 -HIT_GROUP_SWITCH=1 -TABLE_INFO=tsgconf/firewall_cm_maat_tableinfo.json -STAT_FILE=metrics/firewall_cm_maat_stat.json -EFFECT_INTERVAL_MS=1000 -GARBAGE_COLLECT_MS=60000 -RULE_UPDATE_CHECK_INTERVAL_MS=1000 -REDIS_IP={{- include "traffic-engine.global.cm.server-ip" . }} -REDIS_PORT={{- include "traffic-engine.global.cm.server-port" . }} -REDIS_INDEX={{ .Values.vsys_id }} -JSON_CFG_FILE=tsgconf/firewall_cm_maat_rule.json -INC_CFG_DIR=tsgrule/inc/index/ -FULL_CFG_DIR=tsgrule/full/index/ -EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json -LOG_PATH="log/firewall.cm.maat" - -[SD_DYNAMIC_MAAT] -MAAT_MODE=redis -STAT_SWITCH=1 -PERF_SWITCH=1 -TABLE_INFO=tsgconf/firewall_sd_maat_tableinfo.json -STAT_FILE=metrics/firewall_sd_maat_stat.json -EFFECT_INTERVAL_MS={{ .Values.external_resources.sd.policy_effect_interval_ms }} -GARBAGE_COLLECT_MS={{ .Values.external_resources.sd.policy_garbage_collection_interval_ms }} -RULE_UPDATE_CHECK_INTERVAL_MS={{ .Values.external_resources.sd.policy_update_check_interval_ms }} -REDIS_IP={{- include "traffic-engine.global.sd.server-ip" . }} -REDIS_PORT_NUM=1 -REDIS_PORT={{- include "traffic-engine.global.sd.server-port" . }} -REDIS_INDEX={{ .Values.external_resources.sd.db_index }} -JSON_CFG_FILE=tsgconf/firewall_sd_maat_rule.json -INC_CFG_DIR=tsgrule/inc/index/ -FULL_CFG_DIR=tsgrule/full/index/ -EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json -LOG_PATH="log/firewall.sd.maat" - -[MAAT] -ACCEPT_TAGS={"tags":[{{- include "traffic-engine.device-tag-list" . }}]} diff --git a/ansible/roles/traffic-engine/files/helm/conf/mail.conf b/ansible/roles/traffic-engine/files/helm/conf/mail.conf deleted file mode 100644 index 9b78b522..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/mail.conf +++ /dev/null @@ -1,24 +0,0 @@ -[MODULE] -LOG_PATH=./log/mail -LOG_LEVEL=20 - -#USER_DEFINE_REGION=X-mailer,Message-ID - -#IMAP BODY/BODYSTRUCTURE information -HTABLE_SIZE=65536 -HTABLE_EXPIRE_TIME=1800 - -#whether to decode BASE64/QP, 0:OFF, 1:ON(default) -{{- if eq .Values.decoders.MAIL_BASE64 .Values.define_enable_val_yes }} -TRANS_DECODE_SWITCH=1 -{{- else }} -TRANS_DECODE_SWITCH=0 -{{- end }} -#0: callback biz per packet; 1: callback biz per line(default) -CALLBACK_BIZ_LINE=1 - -STAT_FIELD_CYCLE=10 -STAT_FIELD_TRIG=0 -STAT_FIELD_APPNAME=MAIL_PRO -STAT_FIELD_DST_IP=10.10.10.68 -STAT_FIELD_DST_PORT=8125 diff --git a/ansible/roles/traffic-engine/files/helm/conf/main.conf b/ansible/roles/traffic-engine/files/helm/conf/main.conf deleted file mode 100644 index 40ef63c2..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/main.conf +++ /dev/null @@ -1,145 +0,0 @@ -[MAAT] -PROFILE="./tsgconf/maat.conf" -{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} -DYNAMIC_MAPPING_MAAT_SWITCH=1 -{{- else }} -DYNAMIC_MAPPING_MAAT_SWITCH=0 -{{- end }} - -DEVICE_TAG_FILE=/opt/tsg/etc/tsg_device_tag.json -ACCEPT_TAGS={"tags":[{{- include "traffic-engine.device-tag-list" . }}]} - -[TSG_LOG] -IPFIX_SCHEMA_PROFILE=./tsgconf/firewall_logger_ipfix_schema.json -LOGGER_SCHEMA_PROFILE=./tsgconf/firewall_logger_transmitter_schema.json - -TRAFFIC_VSYSTEM_ID={{ .Values.vsys_id }} - -{{- if eq .Values.firewall.logs.contains_app_id.enable .Values.define_enable_val_yes }} -SEND_APP_ID_SWITCH=1 -{{- else }} -SEND_APP_ID_SWITCH=0 -{{- end }} -{{- if eq .Values.firewall.logs.contains_dns_resource_record.enable .Values.define_enable_val_yes }} -SEND_DNS_RR_SWITCH=1 -{{- else }} -SEND_DNS_RR_SWITCH=0 -{{- end }} - -[SYSTEM] -DATACENTER_ID={{ .Values.session_id_generator.snowflake_worker_id_base }} -LOG_LEVEL=30 -LOG_PATH="firewall.log" -DEVICE_SEQ_IN_DATA_CENTER={{ .Values.session_id_generator.snowflake_worker_id_offset }} -SERVICE_CHAINING_SID={{ .Values.sid.sce }} -SHAPING_SID={{ .Values.sid.shaping }} -PROXY_SID={{ .Values.sid.proxy }} -{{- if eq .Values.decoders.SSL_JA3 .Values.define_enable_val_yes }} -GENERATE_JA3_FINGERPRINT=1 -{{- else }} -GENERATE_JA3_FINGERPRINT=0 -{{- end }} -MAX_SCAN_TCP_PKT_COUNT=8 -MAX_SCAN_UDP_PKT_COUNT=8 -PERIODIC_SCAN_INTERVAL_MS=120000 -OSFP_DB_JSON_PATH=tsgconf/firewall_osfp_db.json -L7_PROTOCOL_FILE=./tsgconf/firewall_l7_protocol.conf - -{{ if and (eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) }} -APPSKETCH_SWITCH=1 -{{- else }} -APPSKETCH_SWITCH=0 -{{- end }} - -[FIREWALL] -# hijack, replace -PACKET_RESPONSE_MODE=replace -HTTP_PAGE200=./tsgconf/HTTP200.html -HTTP_PAGE204=./tsgconf/HTTP204.html -HTTP_PAGE403=./tsgconf/HTTP403.html -HTTP_PAGE404=./tsgconf/HTTP404.html - -[FIREWALL_LOCAL_STAT] -STAT_NAME="firewall" -STAT_INTERVAL_TIME_S=5 -STAT_OUTPATH="metrics/firewall_local_file_stat.json" - -[APP_SKETCH_FEEDBACK] -QOS=0 -PUBLISH_TOPIC="APP_SIGNATURE_ID" -#CLIENT_ID= -#BROKER_IP= -#BROKER_PORT= - -[qdpi_detector] -debug_swtich=30 -intput_max_packet=20 -qmdpi_engine_config=injection_mode=stream;nb_workers={{- include "traffic-engine.sapp.workerthread" . }};nb_flows=8000;basic_dpi_enable=1;classification_cache_enable=0;fm_flow_table_alloc_mode=0 - -[TRAFFIC_MIRROR] -{{- if eq .Values.traffic_mirror.enable_raw_traffic .Values.define_enable_val_yes }} -TRAFFIC_MIRROR_ENABLE=1 -{{- else }} -TRAFFIC_MIRROR_ENABLE=0 -{{- end }} -{{- if .Values.nic_mirror_name.firewall }} -NIC_NAME="{{ .Values.nic_mirror_name.firewall }}" -{{- end }} -APP_NAME="firewall-mirror-{{ .Values.app_symbol_index }}" -DEFAULT_VLAN_ID=0 - -[PROTO_IDENTIFY] -MAX_IDENTIFY_PACKETS=10 - -[SESSION_FLAGS] -#RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[ "frequency", "block_frequency", "cumulative_sums", "runs", "longest_run", "rank", "non_overlapping_template_matching", "overlapping_template_matching", "universal", "random_excursions", "random_excursions_variant", "poker_detect", "runs_distribution", "self_correlation", "binary_derivative" ]} -FET_ENABLED=1 -RANDOM_LOOKING_UDP_IGNORE_PKTS=-1 -RANDOM_LOOKING_JUDGE_LIST={"random_looking_judge_list":[]} -TUNNELING_PCRE_LIST={"tunneling_pcre_list":["(B|C)(d){3,5}(a|b|c|d)(A|B)b(A|B|C|D)", "(B|C)(d){3,5}(a|b|c|d)Aa(A|B|C|D)", "(B|C)(d){2}(b|c)(A|B)b(A|B|C|D)", "(B|C)(d){2}(b|c)Aa(A|B|C|D)"]} - -[SF_CLASSIFIER] -SYNC_MODE=1 - -{{ if eq .Values.stat_policy_enforcer.enable .Values.define_enable_val_yes -}} -[STAT_POLICY_ENFORCER] -CYCLE_INTERVAL_S=1 -SESSION_UPDATE_MS=250 -{{- end }} - -{{ if eq .Values.traffic_sketch.enable .Values.define_enable_val_yes -}} -[TRAFFIC_SKETCH] -APP_AND_TRAFFIC_CYCLE_S=1 -APP_AND_TRAFFIC_CYCLE_UPDATE_MS=250 -TOPK_CYCLE_S=60 -TOPK_UPDATE_MS=1000 -DOS_CYCLE_S=60 -DOS_UPDATE_MS=1000 -SWITCH_TRAFFIC_SKETCH=1 -{{- end }} - -{{ if eq .Values.policy_sketch.enable .Values.define_enable_val_yes -}} -[POLICY_SKETCH] -OBJECT_CYCLE_S=1 -OBJECT_UPDATE_MS=250 -RULE_HITS_CYCLE_S=1 -RULE_HITS_UPDATE_MS=250 -{{- end }} - -[DOS_PROTECTOR] -{{ if eq .Values.dos_protector.enable .Values.define_enable_val_yes -}} -DOS_PROTECTOR_ENABLE=1 -OUTPUT_INTERVAL_MS=60000 -METRICS_OUTPUT_INTERVAL_MS=60000 -SWARMKV_CLUSTER_NAME="dos_protection_vsys{{ .Values.vsys_id }}" -SWARMKV_NODE_IP="0.0.0.0" -SWARMKV_NODE_PORT=8551 -SWARMKV_CONSUL_IP="NODE_IP_LOCATION" -SWARMKV_CONSUL_PORT=8500 -SWARMKV_CLUSTER_ANNOUNCE_IP="NODE_IP_LOCATION" -SWARMKV_CLUSTER_ANNOUNCE_PORT=CLUSTER_ANNOUNCE_PORT_LOCATION -SWARMKV_HEALTH_CHECK_PORT=8552 -SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=HEALTH_CHECK_ANNOUNCE_PORT_LOCATION -{{- else }} -DOS_PROTECTOR_ENABLE=0 -{{- end }} diff --git a/ansible/roles/traffic-engine/files/helm/conf/necessary_plug_list.conf b/ansible/roles/traffic-engine/files/helm/conf/necessary_plug_list.conf deleted file mode 100644 index 106f0dc0..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/necessary_plug_list.conf +++ /dev/null @@ -1,22 +0,0 @@ -#以下插件如果加载,初始化失败, sapp平台会退出; -#插件的路径来自配置文件 ./plug/conflist.inf, 不需要加段落标识[platform],[protocol],[business]等. -#If the following plugins fail to initialize, the sapp platform will exit. -#The name of the plugin comes from the configuration ./plug/conflist.inf, section identification is not required. -./plug/protocol/sip/sip.inf -./plug/protocol/rtp/rtp.inf -./plug/protocol/ssl/ssl.inf -./plug/protocol/ssh/ssh.inf -./plug/protocol/http/http.inf -./plug/protocol/dns/dns.inf -./plug/protocol/mail/mail.inf -./plug/protocol/ftp/ftp.inf -./plug/protocol/quic/quic.inf -./plug/protocol/rdp/rdp.inf -./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf -./plug/business/kni/kni.inf -./plug/business/conn_telemetry/conn_telemetry.inf -./plug/business/http_healthcheck/http_healthcheck.inf -./plug/platform/tsg_ddos_sketch/tsg_ddos_sketch.inf 1 -./plug/business/firewall/firewall.inf -./plug/stellar_on_sapp/start_loader.inf -./plug/stellar_on_sapp/defer_loader.inf \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/conf/sapp.toml b/ansible/roles/traffic-engine/files/helm/conf/sapp.toml deleted file mode 100644 index af7018a3..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/sapp.toml +++ /dev/null @@ -1,274 +0,0 @@ -################################################################################################### -# NOTE: -# The format of this file is toml (https://github.com/cktan/tomlc99) -# to make vim editor display colorful and human readable, -# you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini -################################################################################################### - -[SYSTEM] -instance_name = "firewall-{{ .Values.app_symbol_index }}" - -[CPU] -### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as [] -worker_threads={{- include "traffic-engine.sapp.workerthread" . }} -send_only_threads_max=0 -bind_mask=[{{- include "traffic-engine.sapp.cpu-affinity" . }}] - -[MEM] -dictator_enable=0 - -[PACKET_IO] - - [overlay_tunnel_definition] -### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat, -### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat. - l2_l3_tunnel_support=1 - -### note, optional value is [none, vxlan, nf] - overlay_mode="nf" - [packet_io.feature] - - destroy_all_plug_enabled = 0 - - ### note, used to represent inbound or outbound direction value, - ### because it comes from Third party device, so it needs to be specified manually, - ### if inbound_route_dir=1, then outbound_route_dir=0, vice versa, - ### in other words, outbound_route_dir = 1 ^ inbound_route_dir; - inbound_route_dir=1 - -### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as "" - BSD_packet_filter="" - -### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in" - pcap_capture_direction="in" - - -### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway] -### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode; -### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket. -### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain. -### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain. - inject_pkt_mode="default" - inject_pkt_prepend_segment_id={{ .Values.sid.inject_adapter }} -### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port. - #inject_mode_inline_device_sport=54789 - -### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway. - #inject_mode_single_gateway_device="eth1" -### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device - #inject_mode_single_gateway_src_mac="00:11:22:77:88:99" - #inject_mode_single_gateway_dst_mac="00:11:22:33:44:55" - #dumpfile_sleep_time_before_exit=3 - -### note, depolyment.mode options: [mirror, inline, transparent] - [packet_io.deployment] - mode="inline" - -### note, interface.type options: [pag,pcap,marsio] - [packet_io.internal.interface] - type="marsio" - name="{{ .Values.nic_raw_name }}" - [packet_io.external.interface] - type="pcap" - name="lo" - - [packet_io.polling] -### note, polling_priority = call sapp_recv_pkt every call polling_entry times, - polling_priority=100 - - [packet_io.under_ddos] -### note, to reduce impact of ddos attack,set some stream bypass, all plugins will not process these streams -{{- if eq .Values.overload_protection.enable .Values.define_enable_val_yes }} -stream_bypass_enabled=1 -{{- else }} -stream_bypass_enabled=0 -{{- end }} - - -### note, cpu usage value is percent, for example, config value is 85, means 85%, valid range: [1,100] -### sapp change to bypass state immediately when realtime cpu usage > bypass_trigger_cpu_usage -bypass_trigger_cpu_usage={{ .Values.overload_protection.detect_threshold_cpu_usages }} - - -### note, unit of get_cpu_usage_interval is milliseconds(ms) - get_cpu_usage_interval={{ .Values.overload_protection.detect_interval_in_ms }} -### note, use the average of the last $smooth_avg_window times as current realtime value - smooth_avg_window={{ .Values.overload_protection.detect_smooth_avg_window }} - - decrease_ratio="0.95" - increase_ratio="1.005" -### note, unit of bypass_observe_time is second(s) - recovery_observe_time={{ .Values.overload_protection.recovery_detect_cycle_in_sec }} - -[PROTOCOL_FEATURE] - ipv6_decapsulation_enabled=1 - ipv6_send_packet_enabled=1 - tcp_drop_pure_ack_pkt=0 - tcp_syn_option_parse_enabled=1 - skip_not_ip_layer_over_eth=0 - skip_gtp_seq_field_for_inject=1 - -[DUPLICATE_PKT] -[dup_pkt.traffic.original] - kickout_udp_stream_enabled=0 -{{- if eq .Values.session_manager.tcp_duplicated_packet_filter .Values.define_enable_val_yes }} - original_ipv4_tcp_enabled=1 -{{- else }} - original_ipv4_tcp_enabled=0 -{{- end }} -{{- if eq .Values.session_manager.udp_duplicated_packet_filter .Values.define_enable_val_yes }} - original_ipv4_udp_enabled=1 -{{- else }} - original_ipv4_udp_enabled=0 -{{- end }} -### note, can't distinguish between duplicate traffic and application retransmit traffic for IPv6 packets, -### so not support IPv6 original duplicate traffic check. - - -[dup_pkt.traffic.inject] -{{- if eq .Values.session_manager.inject_duplicated_packet_filter .Values.define_enable_val_yes }} - inject_all_enabled=1 -{{- else }} - inject_all_enabled=0 -{{- end }} - -[dup_pkt.parameters] - bloom_capacity=1000000 - bloom_error_rate=0.00001 - bloom_timeout=10 - -[STREAM] -### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" - stream_id_base_time="2021-01-01 00:00:00" - [stream.tcp] - max={{ .Values.session_manager.tcp_session_max }} - timeout={{ .Values.session_manager.tcp_session_timeout_in_sec }} - syn_mandatory=1 - reorder_pkt_max={{ .Values.session_manager.tcp_session_unordered_pkt_max }} - analyse_option_enabled=1 - tuple4_reuse_time_interval=30 - - meaningful_statistics_minimum_pkt=3 - meaningful_statistics_minimum_byte=5 - opening_timeout={{ .Values.session_manager.tcp_session_opening_timeout_in_sec }} - closing_timeout={{ .Values.session_manager.tcp_session_closing_timeout_in_sec }} - - [stream.tcp.inject] - link_mss=1460 - - [stream.tcp.inject.rst] - auto_remedy=0 - number=3 - signature_enabled=1 - signature_seed1=65535 - signature_seed2=13 - remedy_kill_tcp_by_inline_device=0 - - [stream.udp] - max={{ .Values.session_manager.udp_session_max }} - timeout={{ .Values.session_manager.udp_session_timeout_in_sec }} - meaningful_statistics_minimum_pkt=3 - meaningful_statistics_minimum_byte=5 - - -[PROFILING] - [profiling.log] - sapp_log_category="sapp_log" - sapp_plugin_log_category="sapp_plugin_log" - #for profiling-related API control, e.g printaddr - - [profiling.metric] - [profiling.metric.fs2] - enabled=0 - prometheus_port=9273 - prometheus_url_path="/metrics" - local_file="log/fs2_sysinfo.metrics" - refresh_interval_s=1 - - [profiling.metric.fs3] - enabled=0 - prometheus_port=9273 - prometheus_url_path="/metrics" - local_file="log/fs3_sysinfo.metrics" - refresh_interval_s=1 - - [profiling.metric.fs4] - enabled=1 - local_file="./metrics/fs4_sysinfo.json" - refresh_interval_s=1 - app_name="sapp4" - - [profiling.process_latency] - log_category="sapp_process_latency_log" - histogram_enabled=0 - local_file="fs2_process_latency.metrics" - refresh_interval_s=1 -### note, threshold unit is microseconds (us), legal_scope [1,99999999], max value is 99 - threshold_us=1000 -### define in time.h,use CLOCK_MONOTONIC_COARSE as default -### 0 means CLOCK_REALTIME, 1 means CLOCK_MONOTONIC, 2 means CLOCK_PROCESS_CPUTIME_ID, 3 means CLOCK_THREAD_CPUTIME_ID -### 4 means CLOCK_MONOTONIC_RAW, 5 means CLOCK_REALTIME_COARSE, 6 means CLOCK_MONOTONIC_COARSE - clock_gettime_id=6 - - [profiling.sanity_check] - raw_pkt_broken_enabled=0 - symbol_conflict_enabled=0 - -[TOOLS] - [tools.pkt_dump] - enabled=1 -### note, mode options value:[storage, udp_socket] - mode="udp_socket" - BSD_packet_filter="" - - [tools.pkt_dump.threads] -### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted. -### if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index. - all_threads_enabled=1 - -### note, dump_thread_id start from 0, max is CPU.worker_threads-1 - dump_thread_id=[0,1,2,3,4] - - [tools.pkt_dump.udp] - command_port=9345 - pkt_dump_ratio=30 - - [tools.pkt_dump.storage] -### note, file path must be double quotation mark extension, for example, path="/dev/shm/pkt_dump" - path="/dev/shm/pkt_dump" -### note, file size unit: MB - file_size_max_per_thread=10000 - - -[BREAKPAD] - disable_coredump=0 - enable_breakpad=0 - enable_breakpad_upload=0 - breakpad_minidump_dir="/run/sapp/crashreport" - breakpad_upload_tools="/opt/tsg/framework/bin/minidump_upload" - -### note: -### These configurations format is complex and difficult to describe with toml grammar, -### so, create a independent secondary config file to description specific information. - -[SECONDARY_CONFIG_LINK] - cfg_file_sapp_log="etc/sapp_log.conf" - cfg_file_plug_list="plug/conflist.inf" - cfg_file_project_list="etc/project_list.conf" - cfg_file_entrylist="etc/entrylist.conf" - cfg_file_send_raw_pkt="etc/send_raw_pkt.conf" - cfg_file_vxlan_sport_map="etc/vxlan_sport_service_map.conf" - cfg_file_inline_device="etc/gdev.conf" - cfg_file_necessary_plug_list="etc/necessary_plug_list.conf" - cfg_file_stream_compare_layer="etc/stream_compare_layer.conf" - cfg_file_vlan_flipping="etc/vlan_flipping_map.conf" - cfg_file_asymmetric_addr_layer="etc/asymmetric_addr_layer.conf" - cfg_file_well_known_port="etc/well_known_port.conf" - -[SECONDARY_DATA_LINK] - data_file_sysinfo_log="log/sysinfo.log" - data_file_field_stat_log="log/fs2_sysinfo.log" - data_file_inline_keepalive_log="log/gdev_keeplive_status.log" - -[LIBRARY_LINK] - marsio_library_path="/opt/tsg/mrzcpd/lib/libmarsio.so" diff --git a/ansible/roles/traffic-engine/files/helm/conf/sapp_log.conf b/ansible/roles/traffic-engine/files/helm/conf/sapp_log.conf deleted file mode 100644 index 0c9ad6a3..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/sapp_log.conf +++ /dev/null @@ -1,18 +0,0 @@ -[global] -default format = "%d(%c), %V, %U, %m%n" -rotate lock file = /tmp/sapp_zlog.lock -file perms = 644 -[levels] -DEBUG=10 -INFO=20 -FATAL=30 -STOP=40 -[formats] -other = "%d(%c), %V, %F, %U, %m%n" -plugin = "%d(%c), %m%n" -[rules] -sapp_log.fatal "./log/runtimelog.%d(%F)", 500M ~ "./log/runtimelog.%d(%F).#2s" -sapp_plugin_log.fatal >stdout; plugin -sapp_plugin_log.info "./log/plugin.log.%d(%F)", 500M ~ "./log/plugin.log.%d(%F).#2s"; plugin -sapp_process_latency_log.fatal "./log/sapp_process_latency.log.%d(%F)", 500M ~ "./log/sapp_process_latency.log.%d(%F).#2s" -!.fatal "./log/%c.%d(%F)", 500M ~ "./log/%c.%d(%F).#2s"; other diff --git a/ansible/roles/traffic-engine/files/helm/conf/sce.conf b/ansible/roles/traffic-engine/files/helm/conf/sce.conf deleted file mode 100644 index ffbd1f87..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/sce.conf +++ /dev/null @@ -1,101 +0,0 @@ -[system] -nr_worker_threads={{- include "traffic-engine.sce.workerthread" . }} -cpu_affinity_mask={{- include "traffic-engine.sce.cpu-affinity" . }} -firewall_sids={{ .Values.sid.firewall }} -stateless_sids=900 -enable_debug=0 -enable_send_log=1 -ts_update_interval_ms=1 - -# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally - -disable_coredump=0 -enable_breakpad=0 -enable_breakpad_upload=0 -# must be /run/sce/crashreport,due to tmpfile limit -breakpad_minidump_dir=/run/sce/crashreport -breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload - -[maat] -# 0:json 1:redis -input_mode=1 -# LOG_LEVEL_TRACE = 0; LOG_LEVEL_DEBUG = 1; LOG_LEVEL_INFO = 2; -# LOG_LEVEL_WARN = 3; LOG_LEVEL_ERROR = 4; LOG_LEVEL_FATAL = 5; -log_level=5 -stat_switch=1 -perf_switch=1 -scan_detail=0 -deferred_load=0 -effect_interval_ms=1000 -stat_file=log/maat.fs2 -table_info=resource/table_info.conf -accept_path=/opt/tsg/etc/tsg_device_tag.json -json_cfg_file=resource/sce.json -foreign_cont_dir=resource/foreign_files -redis_db_idx={{ .Values.vsys_id }} -redis_server={{- include "traffic-engine.global.cm.server-ip" . }} -redis_port_range={{- include "traffic-engine.global.cm.server-port" . }} -max_chaining_size=32 - -[packet_io] -# bypass_traffic:0 disable -# bypass_traffic:1 bypass all traffic -# bypass_traffic:2 bypass raw traffic -# bypass_traffic:3 bypass decrypted traffic -bypass_traffic=0 -rx_burst_max=128 -min_timeout_ms=900 -app_symbol=sce-{{ .Values.app_symbol_index }} -dev_nf_name={{ .Values.sce_config.steering_nic }} - -# dev_endpoint_l2 for vlan -dev_endpoint_l2_name={{ .Values.sce_config.vlan_config.endpoint_nic }} -vlan_encapsulate_replace_orig_vlan_header=0 - -# dev_endpoint_l3 for vxlan -dev_endpoint_l3_name={{ .Values.sce_config.vxlan_config.endpoint_nic }} -dev_endpoint_l3_ip={{ .Values.sce_config.vxlan_config.endpoint_ip }} -# dev_endpoint_l3_mac=aa:aa:aa:aa:aa:aa - -[stat] -output_file=log/sce.fs2 -statsd_server=127.0.0.1 -statsd_port=8100 -# 1 : FS_OUTPUT_STATSD -# 2 : FS_OUTPUT_INFLUX_LINE -statsd_format=2 -statsd_cycle=2 -prometheus_listen_port=9006 -prometheus_listen_url=/metrics - -[metrics] -output_fs_interval_ms=500 -output_kafka_interval_ms=1000 -{{- range .Values.device.tags -}} -{{- range $key,$val := . }} -{{- if eq $key "data_center" }} -data_center={{ $val }} -{{- end }} -{{- if eq $key "device_group" }} -device_group={{ $val }} -{{- end }} -{{- end }} -{{- end }} -device_id=DEVICE_ID_PLACE_HOLDER_MARK - -[bfdd] -enable=1 -# use default_gw_mac when enable = 0 -default_gw_mac=aa:aa:aa:aa:aa:aa -path=/run/frr/bfdd.vty -device={{ .Values.sce_config.vxlan_config.endpoint_nic }} -local_address={{ .Values.sce_config.vxlan_config.endpoint_ip }} -gateway={{ .Values.sce_config.vxlan_config.endpoint_gateway }} -icmp_cycle_time_s=10 - -[kafka] -enable_debug=0 -brokerlist={{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.kafka_brokers.addresses ",") }} -sasl_username={{ .Values.external_resources.olap.kafka_brokers.sasl_username }} -sasl_passwd={{ .Values.external_resources.olap.kafka_brokers.sasl_password }} -topic_name=POLICY-RULE-METRIC \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/conf/sce_log.conf b/ansible/roles/traffic-engine/files/helm/conf/sce_log.conf deleted file mode 100644 index 62be24ea..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/sce_log.conf +++ /dev/null @@ -1,12 +0,0 @@ -# kill -s SIGHUP "pid" - -[global] -default format = "%d(%c), %V, %F, %U, %m%n" - -[levels] -DEBUG=10 -INFO=20 -FATAL=30 - -[rules] -sce.fatal "./log/sce.log.%d(%F)", 500M ~ "./log/sce.log.%d(%F).#2s"; diff --git a/ansible/roles/traffic-engine/files/helm/conf/send_raw_pkt.conf b/ansible/roles/traffic-engine/files/helm/conf/send_raw_pkt.conf deleted file mode 100644 index 00ae693e..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/send_raw_pkt.conf +++ /dev/null @@ -1,9 +0,0 @@ -#(0:pag,1:pcap,2:dumpfile,3:pfring,4:DPDK,5:ppf,6:NPacket,7:qnf,8:N95,9:pcap-dumpfile-list,10:topsec, -##(11:ipfile, 12:marsio4, 13:agent_smith, 14:dpdk_vxlan, 15:marsio_vxlan, 16:pag_marsio - -#target_id -0 pag p7p2 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ .Values.nic_raw_name }} smith dpdk dpdk pag -1 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 {{ .Values.nic_raw_name }} smith dpdk dpdk pag -#2 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag -#3 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag -#4 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag diff --git a/ansible/roles/traffic-engine/files/helm/conf/shaping.conf b/ansible/roles/traffic-engine/files/helm/conf/shaping.conf deleted file mode 100644 index 0e4a66cc..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/shaping.conf +++ /dev/null @@ -1,54 +0,0 @@ -[SYSTEM] -WORK_THREAD_NUM={{- include "traffic-engine.shaping.workerthread" . }} -ENABLE_CPU_AFFINITY=1 -CPU_AFFINITY_MASK={{- include "traffic-engine.shaping.cpu-affinity" . }} -firewall_sids={{ .Values.sid.firewall }} - -[MARSIO] -DEV_INTERFACE="{{ .Values.shaping_config.shaping_nic }}" -RX_BRUST_MAX=64 -APP_SYMBOL="shaping-{{ .Values.app_symbol_index }}" - -[MAAT] -INPUT_MODE=1 -TABLE_INFO="conf/table_info.json" -JSON_FILE="conf/shaping_maat.json" -REDIS_DB_IDX={{ .Values.vsys_id }} -REDIS_IP="{{- include "traffic-engine.global.cm.server-ip" . }}" -REDIS_PORT="{{- include "traffic-engine.global.cm.server-port" . }}" - - -[SWARMKV] -SWARMKV_CLUSTER_NAME="tsg-shaping-vsys{{ .Values.vsys_id }}" -SWARMKV_NODE_IP="0.0.0.0" -SWARMKV_NODE_PORT=8551 -SWARMKV_CONSUL_IP="NODE_IP_LOCATION" -SWARMKV_CONSUL_PORT=8500 -SWARMKV_CLUSTER_ANNOUNCE_IP="NODE_IP_LOCATION" -SWARMKV_CLUSTER_ANNOUNCE_PORT=CLUSTER_ANNOUNCE_PORT_LOCATION -SWARMKV_HEALTH_CHECK_PORT=8552 -SWARMKV_HEALTH_CHECK_ANNOUNCE_PORT=HEALTH_CHECK_ANNOUNCE_PORT_LOCATION - -[METRIC] -{{- range .Values.device.tags -}} -{{- range $key,$val := . }} -{{- if eq $key "data_center" }} -DATA_CENTER={{ $val }} -{{- end }} -{{- if eq $key "device_group" }} -DEVICE_GROUP={{ $val }} -{{- end }} -{{- end }} -{{- end }} -DEVICE_ID="DEVICE_ID_PLACE_HOLDER_MARK" -KAFKA_TOPIC="POLICY-RULE-METRIC" -KAFKA_BROKERS="{{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.kafka_brokers.addresses ",") }}" -KAFKA_USERNAME="{{ .Values.external_resources.olap.kafka_brokers.sasl_username }}" -KAFKA_PASSWORD="{{ .Values.external_resources.olap.kafka_brokers.sasl_password }}" - -[CONFIG] -#PROFILE_QUEUE_LEN_PER_PRIORITY_MAX=128 -SESSION_QUEUE_LEN_MAX=32 -QUEUEING_SESSIONS_PER_PRIORITY_PER_THREAD_MAX=1024 -POLLING_NODE_NUM_MAX={"polling_node_num_max":[ 3, 2, 2, 2, 2, 2, 2, 2, 2, 2 ]} - diff --git a/ansible/roles/traffic-engine/files/helm/conf/shaping_log.conf b/ansible/roles/traffic-engine/files/helm/conf/shaping_log.conf deleted file mode 100644 index 66fef90c..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/shaping_log.conf +++ /dev/null @@ -1,13 +0,0 @@ -[global] -default format = "%d(%c), %V, %F, %U, %m%n" - -[levels] -DEBUG=10 -INFO=20 -FATAL=30 - -[rules] -log_shaping.fatal "./log/shaping.log.%d(%F)", 500M ~ "./log/shaping.log.%d(%F).#2s"; -#log_shaping.fatal >stdout; -#log_shaping.info "./log/info_shaping.log.%d(%F)"; -#log_shaping.debug "./log/debug_shaping.log.%d(%F)"; diff --git a/ansible/roles/traffic-engine/files/helm/conf/spec.toml b/ansible/roles/traffic-engine/files/helm/conf/spec.toml deleted file mode 100644 index 4a539506..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/spec.toml +++ /dev/null @@ -1,49 +0,0 @@ -{{ if eq .Values.session_flags.enable .Values.define_enable_val_yes -}} -[[plugin]] -path = "./stellar_plugin/session_flags.so" -init = "session_flags_plugin_init" -exit = "session_flags_plugin_exit" -{{- end }} - -[[plugin]] -path = "./stellar_plugin/glimpse_detector.so" -init = "APP_GLIMPSE_DETECTOR_LOAD" -exit = "APP_GLIMPSE_DETECTOR_UNLOAD" - -[[plugin]] -path = "./plug/business/firewall/firewall.so" -init = "firewall_stellar_plugin_load" -exit = "firewall_stellar_plugin_unload" - -[[plugin]] -path = "./stellar_plugin/sf_classifier.so" -init = "sf_classifier_init" -exit = "sf_classifier_exit" - -{{ if and (eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes) (eq .Values.appsketch.enable .Values.define_enable_val_yes) -}} -[[plugin]] -path = "./stellar_plugin/qdpi_detector/qdpi_detector.so" -init = "QDPI_DETECTOR_LOAD" -exit = "QDPI_DETECTOR_UNLOAD" -{{- end }} - -{{ if eq .Values.stat_policy_enforcer.enable .Values.define_enable_val_yes -}} -[[plugin]] -path = "./stellar_plugin/stat_policy_enforcer.so" -init = "STATISTICS_INIT" -exit = "STATISTICS_EXIT" -{{- end }} - -{{ if eq .Values.traffic_sketch.enable .Values.define_enable_val_yes -}} -[[plugin]] -path = "./stellar_plugin/traffic_sketch.so" -init = "TRAFFIC_SKETCH_INIT" -exit = "TRAFFIC_SKETCH_EXIT" -{{- end }} - -{{ if eq .Values.policy_sketch.enable .Values.define_enable_val_yes -}} -[[plugin]] -path = "./stellar_plugin/policy_sketch.so" -init = "POLICY_SKETCH_INIT" -exit = "POLICY_SKETCH_EXIT" -{{- end }} diff --git a/ansible/roles/traffic-engine/files/helm/conf/ssl_main.conf b/ansible/roles/traffic-engine/files/helm/conf/ssl_main.conf deleted file mode 100644 index 29b5cab0..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/ssl_main.conf +++ /dev/null @@ -1,12 +0,0 @@ -[SSL] -MAX_CACHE_LEN=10240 -{{- if eq .Values.decoders.SSL_CERT .Values.define_enable_val_yes }} -PARSE_CERTIFICATE_DETAIL=1 -{{- else }} -PARSE_CERTIFICATE_DETAIL=0 -{{- end }} -{{- if eq .Values.decoders.SSL_DETAIN_FRAG_CHELLO .Values.define_enable_val_yes }} -DETAIN_FRAG_CHELLO_NUM=6 -{{- else }} -DETAIN_FRAG_CHELLO_NUM=0 -{{- end }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/conf/tfe.conf b/ansible/roles/traffic-engine/files/helm/conf/tfe.conf deleted file mode 100644 index 73e6e690..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/tfe.conf +++ /dev/null @@ -1,288 +0,0 @@ -[system] -nr_worker_threads={{- include "traffic-engine.tfe.workerthread" . }} - -# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally - -disable_coredump=0 -enable_breakpad=0 -enable_breakpad_upload=0 -# must be /run/tfe/crashreport due to tmpfile limit -breakpad_minidump_dir=/run/tfe/crashreport -breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload - -# ask for at least (1 + nr_worker_threads) masks -# the first mask for acceptor thread -# the others mask for worker thread -enable_cpu_affinity=1 -cpu_affinity_mask={{- include "traffic-engine.tfe.cpu-affinity" . }} - -# LEAST_CONN = 0; ROUND_ROBIN = 1 -load_balance=1 - -[public] -vsys_id={{ .Values.vsys_id }} -{{- range .Values.device.tags -}} -{{- range $key,$val := . }} -{{- if eq $key "data_center" }} -data_center={{ $val }} -{{- end }} -{{- if eq $key "device_group" }} -device_group={{ $val }} -{{- end }} -{{- end }} -{{- end }} -device_id=DEVICE_ID_PLACE_HOLDER_MARK - -# for enable kni v3 -[nfq] -queue_id=1 -queue_maxlen=655350 -queue_rcvbufsiz=983025000 -queue_no_enobufs=1 - -[kni] -# kni v1 -#uxdomain=/var/run/.tfe_kni_acceptor_handler -# kni v2 -#scm_socket_file=/var/run/.tfe_kmod_scm_socket - -# send cmsg -send_switch=0 -ip=127.0.0.1 -cmsg_port=2475 - -# watch dog -watchdog_switch=0 -watchdog_port=2476 - -[watchdog_tfe] -# The worker thread updates the timestamp every two seconds -# The watchdog thread checks the timestamp every second -enable=1 -timeout_seconds=5 -statistics_window=20 -timeout_cnt_as_fail=3 -timeout_debug=0 - -[ssl] -ssl_debug=0 -# ssl version Not available, configured via TSG website -# ssl_max_version=tls13 -# ssl_min_version=ssl3 -ssl_compression=1 -no_ssl2=1 -no_ssl3=0 -no_tls10=0 -no_tls11=0 -no_tls12=0 -default_ciphers=ALL:-aNULL -no_cert_verify=0 - -# session ticket -no_session_ticket=0 -stek_group_num=4096 -stek_rotation_time=3600 - -# session cache -no_session_cache=0 -session_cache_slots=4194304 -session_cache_expire_seconds=1800 - -# service cache -service_cache_slots=4194304 -service_cache_expire_seconds=300 -service_cache_fail_as_pinning_cnt=4 -service_cache_fail_as_proto_err_cnt=5 -service_cache_fail_time_window=30 -service_cache_succ_as_app_not_pinning_cnt=0 - -# cert -check_cert_crl=0 -trusted_cert_load_local=1 -trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem -trusted_cert_dir=resource/tfe/trusted_storage - -# master key -log_master_key=0 -key_log_file=log/sslkeylog.log - -[key_keeper] -#Mode: debug - generate cert with ca_path, normal - generate cert with cert store -#0 on cache 1 off cache -no_cache=0 -mode=normal -cert_store_host=127.0.0.1 -cert_store_port=9991 -ca_path=resource/tfe/tango-ca-v3-trust-ca.pem -untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem -hash_slot_size=131072 -hash_expire_seconds=300 -cert_expire_time=24 - -# health_check only for "mode=normal" default 1 -enable_health_check=1 - -[tsg_http] -enable_plugin=1 -en_sendlog=1 - -[debug] -# 1 : enforce tcp passthrough -# 0 : Whether to passthrough depends on the tcp_options in cmsg -passthrough_all_tcp=0 - -[ratelimit] -read_rate=0 -read_burst=0 -write_rate=0 -write_burst=0 - -[tcp] -# read rcv_buff/snd_buff options from tfe conf -sz_rcv_buffer=-1 -sz_snd_buffer=-1 - -# 1 : use tcp_options in tfe.conf -# 0 : use tcp_options in cmsg -enable_overwrite=0 -tcp_nodelay=1 -so_keepalive=1 -tcp_keepcnt=8 -tcp_keepintvl=15 -tcp_keepidle=30 -tcp_user_timeout=600 -tcp_ttl_upstream=75 -tcp_ttl_downstream=70 - -[stat] -statsd_server=127.0.0.1 -statsd_port=8900 -statsd_cycle=5 -# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE -statsd_format=2 -histogram_bins=0.5,0.8,0.9,0.95 -statsd_set_prometheus_port=9001 -statsd_set_prometheus_url_path=/metrics - -[traffic_mirror] -{{- if eq .Values.traffic_mirror.enable_decrypted_traffic .Values.define_enable_val_yes }} -enable=1 -{{- else }} -enable=0 -{{- end }} -{{- if .Values.nic_mirror_name.proxy }} -device={{ .Values.nic_mirror_name.proxy }} -{{- end }} -app_symbol=proxy-mirror-{{ .Values.app_symbol_index }} -# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO -type=1 - -table_info=resource/pangu/table_info_traffic_mirror.conf -stat_file=log/traffic_mirror.status -default_vlan_id=0 - -[kafka] -brokerlist={{- include "traffic-engine.config.addresses.converter" (list .Values.external_resources.olap.kafka_brokers.addresses ",") }} -sasl_username={{ .Values.external_resources.olap.kafka_brokers.sasl_username }} -sasl_passwd={{ .Values.external_resources.olap.kafka_brokers.sasl_password }} -rule_hits_topic=POLICY-RULE-METRIC -proxy_event_topic=PROXY-EVENT -file_stream_topic=TRAFFIC-HTTP-FILE-STREAM-RECORD -exch_cert_topic=PXY-EXCH-INTERMEDIA-CERT - -[maat] -# 0:json 1:redis -maat_input_mode=1 -stat_switch=1 -perf_switch=1 -table_info=resource/pangu/table_info.conf -accept_path=/opt/tsg/etc/tsg_device_tag.json -stat_file=log/pangu_scan.fs2 -effect_interval_s=1 -deferred_load_on=0 - -# json mode conf iterm -json_cfg_file=resource/pangu/pangu_http.json - -# redis mode conf iterm -maat_redis_server={{- include "traffic-engine.global.cm.server-ip" . }} -maat_redis_port_range={{- include "traffic-engine.global.cm.server-port" . }} -maat_redis_db_index={{ .Values.vsys_id }} - -[proxy_hits] -app_name="proxy_rule_hits" -output_fs_interval_ms=500 -output_kafka_interval_ms=1000 - -# for enable kni v4 -[packet_io] -dup_packet_filter_enable=1 -dup_packet_filter_capacity=1000000 -dup_packet_filter_timeout=10 -# MESA_load_profile not support double -#dup_packet_filter_error_rate=0.00001 -packet_io_debug=0 -packet_io_threads={{- include "traffic-engine.pktio.workerthread" . }} -packet_io_cpu_affinity_mask={{- include "traffic-engine.pktio.cpu-affinity" . }} - -firewall_sids={{ .Values.sid.firewall }} -proxy_sids={{ .Values.sid.proxy }} -service_chaining_sids={{ .Values.sid.sce }} - -# bypass_all_traffic:1 NF2NF and SF2SF -bypass_all_traffic=0 - -rx_burst_max=128 -app_symbol=proxy-{{ .Values.app_symbol_index }} -dev_nf_interface={{ .Values.proxy_config.proxy_nic }} - -src_mac_addr = 00:0e:c6:d6:72:c1 - -# tap config -tap_name=tap0 - -# 1.tap_allow_mutilthread=1 load bpf rss obj -# 2.tap_allow_mutilthread=0 not load bpf rss obj -tap_allow_mutilthread=1 -bpf_obj=/opt/tsg/tfe/resource/bpf/bpf_tun_rss_steering.o -# tap_bpf_debug_log: cat /sys/kernel/debug/tracing/trace_pipe -bpf_debug_log=0 -# 2: BPF 使用二元组分流 -# 4: BPF 使用四元组分流 -bpf_hash_mode={{ .Values.distmode }} - -# 配置 tap 网卡的 RPS -tap_rps_enable=1 -tap_rps_mask={{ .Values.tfe_rps_mask }} - -# iouring config -enable_iouring=1 -enable_debuglog=0 -ring_size=1024 -buff_size=2048 -# io_uring_setup() flags -# IORING_SETUP_IOPOLL (1U << 0) /* io_context is polled */ -# IORING_SETUP_SQPOLL (1U << 1) /* SQ poll thread */ -# IORING_SETUP_SQ_AFF (1U << 2) /* sq_thread_cpu is valid */ -# IORING_SETUP_CQSIZE (1U << 3) /* app defines CQ size */ -# IORING_SETUP_CLAMP (1U << 4) /* clamp SQ/CQ ring sizes */ -# IORING_SETUP_ATTACH_WQ (1U << 5) /* attach to existing wq */ -# IORING_SETUP_R_DISABLED (1U << 6) /* start with ring disabled */ -# IORING_SETUP_SUBMIT_ALL (1U << 7) /* continue submit on error */ -flags=0 -sq_thread_idle=0 - -[traffic_steering] -enable_steering_http=0 -enable_steering_ssl=0 -# 17: 0x11 -so_mask_client=17 -# 34: 0x22 -so_mask_server=34 -device_client=tap_c -device_server=tap_s - -http_keepalive_enable=0 -http_keepalive_path="/metrics" -http_keepalive_addr=192.168.41.60 -http_keepalive_port=9273 \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/conf/tfe_log.conf b/ansible/roles/traffic-engine/files/helm/conf/tfe_log.conf deleted file mode 100644 index d092dcf9..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/tfe_log.conf +++ /dev/null @@ -1,24 +0,0 @@ -# kill -s SIGHUP "pid" - -[global] - -default format = "%d(%c), %t, %V, %F, %U, %m%n" -rotate lock file = /tmp/tfe_zlog.lock -file perms = 644 - -[levels] - -DEBUG=10 -INFO=20 -FATAL=30 -#DISABLE=40 - -[rules] - -*.fatal "./log/error.log.%d(%F)", 500M ~ "./log/error.log.%d(%F).#2s"; -tfe.fatal "./log/tfe.log.%d(%F)", 500M ~ "./log/tfe.log.%d(%F).#2s"; -http.fatal "./log/http.log.%d(%F)", 500M ~ "./log/http.log.%d(%F).#2s"; -http2.fatal "./log/http2.log.%d(%F)", 500M ~ "./log/http2.log.%d(%F).#2s"; -doh.fatal "./log/doh_pxy.log.%d(%F)", 500M ~ "./log/doh_pxy.log.%d(%F).#2s"; -tsg_http.fatal "./log/tsg_http_pxy.log.%d(%F)", 500M ~ "./log/tsg_http_pxy.log.%d(%F).#2s"; -packet_io.fatal "./log/packet_io.log.%d(%F)", 500M ~ "./log/packet_io.log.%d(%F).#2s"; diff --git a/ansible/roles/traffic-engine/files/helm/conf/tsg_device_tag.json b/ansible/roles/traffic-engine/files/helm/conf/tsg_device_tag.json deleted file mode 100644 index 712583ed..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/tsg_device_tag.json +++ /dev/null @@ -1,2 +0,0 @@ -[MAAT] -ACCEPT_TAGS={"tags":[{{- include "traffic-engine.device-tag-list" . }}]} diff --git a/ansible/roles/traffic-engine/files/helm/conf/vlan_flipping_map.conf b/ansible/roles/traffic-engine/files/helm/conf/vlan_flipping_map.conf deleted file mode 100644 index d4a7248d..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/vlan_flipping_map.conf +++ /dev/null @@ -1,104 +0,0 @@ -#for inline a device vlan flipping -#数据包来自C路由器端, 即C2I(I2E)方向, -#数据包来自I路由器端, 即I2C(E2I)方向, -#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计, -#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了. -#配置文件格式, pattern: -#来自C路由器vlan_id 来自I路由器vlan_id 是否开启mac地址翻转 -#C_rout r_vlan_id I_router_vlan_id mac_flipping_enable -1000 1001 0 -1002 1003 0 -1004 1005 0 -1006 1007 0 -1008 1009 0 -1010 1011 0 -1012 1013 0 -1014 1015 0 -1016 1017 0 -1018 1019 0 -1020 1021 0 -1022 1023 0 -1024 1025 0 -1026 1027 0 -1028 1029 0 -1030 1031 0 -1032 1033 0 -1034 1035 0 -1036 1037 0 -1038 1039 0 -1040 1041 0 -1042 1043 0 -1044 1045 0 -1046 1047 0 -1048 1049 0 -1050 1051 0 -1052 1053 0 -1054 1055 0 -1056 1057 0 -1058 1059 0 -1060 1061 0 -1062 1063 0 -1064 1065 0 -1066 1067 0 -1068 1069 0 -1070 1071 0 -1072 1073 0 -1074 1075 0 -1076 1077 0 -1078 1079 0 -1080 1081 0 -1082 1083 0 -1084 1085 0 -1086 1087 0 -1088 1089 0 -1090 1091 0 -1092 1093 0 -1094 1095 0 -1096 1097 0 -1098 1099 0 -1100 1101 0 -1102 1103 0 -1104 1105 0 -1106 1107 0 -1108 1109 0 -1110 1111 0 -1112 1113 0 -1114 1115 0 -1116 1117 0 -1118 1119 0 -1120 1121 0 -1122 1123 0 -1124 1125 0 -1126 1127 0 -4000 4001 0 -4002 4003 0 -4004 4005 0 -4006 4007 0 -4008 4009 0 -4010 4011 0 -4012 4013 0 -4014 4015 0 -4016 4017 0 -4018 4019 0 -4020 4021 0 -4022 4023 0 -4024 4025 0 -4026 4027 0 -4028 4029 0 -4030 4031 0 -4032 4033 0 -4034 4035 0 -4036 4037 0 -4038 4039 0 -4040 4041 0 -4042 4043 0 -4044 4045 0 -4046 4047 0 -4048 4049 0 -4050 4051 0 -4052 4053 0 -4054 4055 0 -4056 4057 0 -4058 4059 0 -4060 4061 0 -4062 4063 0 \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl b/ansible/roles/traffic-engine/files/helm/templates/_config.tpl deleted file mode 100644 index eec1b52b..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl +++ /dev/null @@ -1,246 +0,0 @@ -{{- define "traffic-engine.config.addresses.converter" -}} -{{- $addresses := list -}} -{{- $source := index . 0 -}} -{{- $separator := index . 1 -}} -{{- if $source }} -{{- range $source -}} -{{- $address := ( print .address ":" .port ) -}} -{{- $addresses = append $addresses $address -}} -{{- end -}} -{{- join $separator $addresses }} -{{- end }} -{{- end -}} - -{{- define "traffic-engine.tfe.workerthread" -}} -{{- if eq (len .Values.tfe_affinity) 1 }} -{{- 1 }} -{{- else }} -{{- sub (len .Values.tfe_affinity) 1 }} -{{- end }} -{{- end -}} - -{{- define "traffic-engine.sce.workerthread" -}} -{{- len .Values.sce_affinity }} -{{- end -}} - -{{- define "traffic-engine.shaping.workerthread" -}} -{{- len .Values.shaping_affinity }} -{{- end -}} - -{{- define "traffic-engine.inject_adapter.workerthread" -}} -{{- len .Values.inject_adapter_affinity }} -{{- end -}} - -{{- define "traffic-engine.pktio.workerthread" -}} -{{- len .Values.pktio_affinity }} -{{- end -}} - -{{- define "traffic-engine.tfe.cpu-affinity" -}} -{{- if eq (len .Values.tfe_affinity) 1 }} -{{- print (index .Values.tfe_affinity 0) "," (index .Values.tfe_affinity 0) }} -{{- else }} -{{- join "," .Values.tfe_affinity }} -{{- end }} -{{- end -}} - -{{- define "traffic-engine.sce.cpu-affinity" -}} -{{- join "," .Values.sce_affinity }} -{{- end -}} - -{{- define "traffic-engine.shaping.cpu-affinity" -}} -{{- join "," .Values.shaping_affinity }} -{{- end -}} - -{{- define "traffic-engine.inject_adapter.cpu-affinity" -}} -{{- join "," .Values.inject_adapter_affinity }} -{{- end -}} - -{{- define "traffic-engine.pktio.cpu-affinity" -}} -{{- join "," .Values.pktio_affinity }} -{{- end -}} - -{{- define "traffic-engine.device-tag-list" -}} -{{- $tags_list := list -}} -{{- if .Values.device.tags }} -{{- range .Values.device.tags -}} -{{- range $key,$val := . }} -{{- $tag_json := ( print "{\"tag\":\"" $key "\",\"value\":\"" $val "\"}") -}} -{{- $tags_list = append $tags_list $tag_json -}} -{{- end }} -{{- end }} -{{- end }} -{{- join "," $tags_list }} -{{- end -}} - -{{- define "traffic-engine.sapp.workerthread" -}} -{{ len .Values.sapp_affinity }} -{{- end -}} - -{{- define "traffic-engine.sapp.cpu-affinity" -}} -{{ join "," .Values.sapp_affinity }} -{{- end -}} - -{{- define "traffic-engine.config.identify-proto-name" -}} -{{- $proto_name := "" -}} -{{- $val_yes := .Values.define_enable_val_yes }} -{{- range $key, $val := .Values.decoders }} -{{- if eq $val $val_yes }} -{{- $proto_name = print $proto_name $key ";" }} -{{- end }} -{{- end }} -{{- $proto_name }} -{{- end -}} - -{{- define "traffic-engine.merge-exporter.merge-urls" -}} -{{- if and (eq .Values.proxy.enable .Values.define_enable_val_yes) (ge (len .Values.tfe_affinity) 1) }} -{{- print "value: http://localhost:9273/metrics http://localhost:9001/metrics http://localhost:9002/metrics http://localhost:9006/metrics" }} -{{- else }} -{{- print "value: http://localhost:9273/metrics http://localhost:9002/metrics http://localhost:9006/metrics" }} -{{- end }} -{{- end -}} - -{{/* -Set up the environment to enable API access. -The template should be invoked in command line. -*/}} -{{- define "public.prepare-access-API" -}} -export APISERVER=https://kubernetes.default.svc -export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount -export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) -export TOKEN=$(cat ${SERVICEACCOUNT}/token) -export CACERT=${SERVICEACCOUNT}/ca.crt -{{- end -}} - -{{/* -Read the node annotations information and serialize it into a file. -The template should be invoked from the command line. -The template requires "public.prepare-access-API". -*/}} -{{- define "public.serialize-node-annotations" -}} -curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/nodes/${NODE_NAME} -o /tmp/node-${NODE_NAME}.json -export DEVICE_SN=$(cat /tmp/node-${NODE_NAME}.json | jq -r '.metadata.annotations."tsg-os/device-sn"') -echo "{\"sn\": \"$DEVICE_SN\"}" > /opt/tsg/shared-configs/tsg_sn.json -echo "export device_id=${DEVICE_SN}" > /opt/tsg/shared-configs/device_id.sh -{{- end -}} - -{{/* -The volumes related to "mrzcpd". -The volumes will be mounted by "traffic-engine.mount.mrzcpd". -*/}} -{{- define "traffic-engine.volume.mrzcpd" -}} -- name: opt-tsg-mrzcpd - hostPath: - path: /opt/tsg/mrzcpd -- name: var-run-mrzcpd - hostPath: - path: /var/run/mrzcpd -- name: var-run-dpdk - hostPath: - path: /var/run/dpdk -- name: profile-mrzcpd - hostPath: - path: /etc/profile.d/mrzcpd.sh - type: File -- name: ldconfig-mrzcpd - hostPath: - path: /etc/ld.so.conf.d/mrzcpd.conf - type: File -{{- end -}} - -{{/* -The volumeMounts related to "mrzcpd". -Requires "traffic-engine.volume.mrzcpd" -*/}} -{{- define "traffic-engine.mount.mrzcpd" -}} -- name: opt-tsg-mrzcpd - mountPath: /opt/tsg/mrzcpd - mountPropagation: HostToContainer - readOnly: false -- name: var-run-mrzcpd - mountPath: /var/run/mrzcpd - readOnly: false -- name: var-run-dpdk - mountPath: /var/run/dpdk - readOnly: false -- name: profile-mrzcpd - mountPath: /etc/profile.d/mrzcpd.sh - readOnly: true -- name: ldconfig-mrzcpd - mountPath: /etc/ld.so.conf.d/mrzcpd.conf - readOnly: true -{{- end -}} - -{{- define "traffic-engine.global.cm.server-ip" -}} -{{- if eq .Values.external_resources.cm.connectivity "direct" }} -{{- print .Values.external_resources.cm.direct.address }} -{{- else if eq .Values.external_resources.cm.connectivity "builtin" }} -{{- print "tsg-cm.tsg-os-system.svc" }} -{{- else }} -{{- print .Values.external_resources.cm.local_cache.cache_name "-redis-master.tsg-os-system.svc" }} -{{- end }} -{{- end -}} - -{{- define "traffic-engine.global.cm.server-port" -}} -{{- if eq .Values.external_resources.cm.connectivity "direct" }} -{{- print .Values.external_resources.cm.direct.port }} -{{- else if eq .Values.external_resources.cm.connectivity "builtin" }} -{{- print "7002" }} -{{- else }} -{{- print "6379" }} -{{- end }} -{{- end -}} - -{{- define "traffic-engine.global.sd.server-ip" -}} -{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} -{{- if eq .Values.external_resources.sd.connectivity "direct" }} -{{- print .Values.external_resources.sd.direct.address }} -{{- else }} -{{- print .Values.external_resources.sd.local_cache.cache_name "-redis-master.tsg-os-system.svc" }} -{{- end }} -{{- end }} -{{- end -}} - -{{- define "traffic-engine.global.sd.server-port" -}} -{{- if eq .Values.external_resources.sd.enable .Values.define_enable_val_yes }} -{{- if eq .Values.external_resources.sd.connectivity "direct" }} -{{- print .Values.external_resources.sd.direct.port }} -{{- else }} -{{- print "6379" }} -{{- end }} -{{- end }} -{{- end -}} - -{{- define "public.sync-host-timezone.volume" -}} -- name: localtime-volume - hostPath: - path: /etc/localtime -{{- end -}} - -{{- define "public.sync-host-timezone.volume-mount" -}} -- name: localtime-volume - mountPath: /etc/localtime - readOnly: true -{{- end -}} - -{{- define "public.license-support.dev-shm-volume" -}} -- name: dev-shm-volume - hostPath: - path: /dev/shm -{{- end -}} - -{{- define "public.license-support.dev-shm-volume-mount" -}} -- name: dev-shm-volume - mountPath: /dev/shm -{{- end -}} - -{{- define "public.license-support.dev-bus-usb-volume" -}} -- name: dev-bus-usb-node - hostPath: - path: /dev/bus/usb -{{- end -}} - -{{- define "public.license-support.dev-bus-usb-volume-mount" -}} -- name: dev-bus-usb-node - mountPath: /dev/bus/usb - readOnly: true -{{- end -}} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/clusterrole.yaml b/ansible/roles/traffic-engine/files/helm/templates/clusterrole.yaml deleted file mode 100644 index 8f8014e4..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - vsysId: "{{ .Values.vsys_id }}" - serviceFunction: {{ .Release.Name }} - name: {{ .Release.Name }} -rules: - - apiGroups: [""] - resources: ["services", "nodes"] - verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/clusterrolebinding.yaml b/ansible/roles/traffic-engine/files/helm/templates/clusterrolebinding.yaml deleted file mode 100644 index 7be3b581..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - vsysId: "{{ .Values.vsys_id }}" - serviceFunction: {{ .Release.Name }} - name: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Release.Name }} -subjects: - - kind: ServiceAccount - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} diff --git a/ansible/roles/traffic-engine/files/helm/templates/configmap-firewall.yaml b/ansible/roles/traffic-engine/files/helm/templates/configmap-firewall.yaml deleted file mode 100644 index f0bf4aa3..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/configmap-firewall.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: firewall-{{ .Release.Name }} - namespace: default -data: - conflist.inf: {{ tpl (.Files.Get "conf/conflist.inf") . | quote }} - gdev.conf: {{ tpl (.Files.Get "conf/gdev.conf") . | quote }} - main.conf: {{ tpl (.Files.Get "conf/main.conf") . | quote }} - maat.conf: {{ tpl (.Files.Get "conf/maat.conf") . | quote }} - sapp.toml: {{ tpl (.Files.Get "conf/sapp.toml") . | quote }} - send_raw_pkt.conf: {{ tpl (.Files.Get "conf/send_raw_pkt.conf") . | quote }} - vlan_flipping_map.conf: {{ tpl (.Files.Get "conf/vlan_flipping_map.conf") . | quote }} - tsg_device_tag.json: {{ tpl (.Files.Get "conf/tsg_device_tag.json") . | quote }} - firewall.inf: {{ tpl (.Files.Get "conf/firewall.inf") . | quote }} - necessary_plug_list.conf: {{ tpl (.Files.Get "conf/necessary_plug_list.conf") . | quote }} - http_main.conf: {{ tpl (.Files.Get "conf/http_main.conf") . | quote }} - mail.conf: {{ tpl (.Files.Get "conf/mail.conf") . | quote }} - ssl_main.conf: {{ tpl (.Files.Get "conf/ssl_main.conf") . | quote }} - spec.toml: {{ tpl (.Files.Get "conf/spec.toml") . | quote }} - firewall_l7_protocol.conf: {{ tpl (.Files.Get "conf/firewall_l7_protocol.conf") . | quote }} - firewall_logger_transmitter_schema.json: {{ tpl (.Files.Get "conf/firewall_logger_transmitter_schema.json") . | quote }} - sapp_log.conf: {{ tpl (.Files.Get "conf/sapp_log.conf") . | quote }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/configmap-proxy.yaml b/ansible/roles/traffic-engine/files/helm/templates/configmap-proxy.yaml deleted file mode 100644 index 2384caaa..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/configmap-proxy.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if and (eq .Values.proxy.enable .Values.define_enable_val_yes) (ge (len .Values.tfe_affinity) 1) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: proxy-{{ .Release.Name }} - namespace: default -data: - tfe.conf: {{ tpl (.Files.Get "conf/tfe.conf") . | quote }} - cert_store.ini: {{ tpl (.Files.Get "conf/cert_store.ini") . | quote }} - tsg_device_tag.json: {{ tpl (.Files.Get "conf/tsg_device_tag.json") . | quote }} - certstore_log.conf: {{ tpl (.Files.Get "conf/certstore_log.conf") . | quote }} - tfe_log.conf: {{ tpl (.Files.Get "conf/tfe_log.conf") . | quote }} -{{- end }} diff --git a/ansible/roles/traffic-engine/files/helm/templates/configmap-sce.yaml b/ansible/roles/traffic-engine/files/helm/templates/configmap-sce.yaml deleted file mode 100644 index 3cb98227..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/configmap-sce.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if eq .Values.service_chaining.enable .Values.define_enable_val_yes }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: sce-{{ .Release.Name }} - namespace: default -data: - sce.conf: {{ tpl (.Files.Get "conf/sce.conf") . | quote }} - tsg_device_tag.json: {{ tpl (.Files.Get "conf/tsg_device_tag.json") . | quote }} - sce_log.conf: {{ tpl (.Files.Get "conf/sce_log.conf") . | quote }} -{{- end }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/configmap-shaping.yaml b/ansible/roles/traffic-engine/files/helm/templates/configmap-shaping.yaml deleted file mode 100644 index e6fda39c..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/configmap-shaping.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if eq .Values.shaping.enable .Values.define_enable_val_yes }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: shaping-{{ .Release.Name }} - namespace: default -data: - shaping.conf: {{ tpl (.Files.Get "conf/shaping.conf") . | quote }} - tsg_device_tag.json: {{ tpl (.Files.Get "conf/tsg_device_tag.json") . | quote }} - shaping_log.conf: {{ tpl (.Files.Get "conf/shaping_log.conf") . | quote }} -{{- end }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml b/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml deleted file mode 100644 index 02096294..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/deployment-firewall.yaml +++ /dev/null @@ -1,309 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Release.Name }}-firewall - labels: - app: {{ .Release.Name }} - component: firewall - annotations: - reloader.stakater.com/auto: "true" - -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Release.Name }}-firewall - strategy: - type: Recreate - template: - metadata: - labels: - app: {{ .Release.Name }}-firewall - vsysId: "{{ .Values.vsys_id }}" - serviceFunction: {{ .Release.Name }} - component: firewall - {{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }} - dynamic-hostports: '8551.8552' - {{- end }} - annotations: - prometheus.io/port: "9010" - prometheus.io/scrape: "true" - spec: - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule - serviceAccountName: {{ .Release.Name }} - containers: - - name: firewall - image: "registry.gdnt-cloud.website/tsg-firewall:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - workingDir: /opt/tsg/sapp - command: - - "bash" - - "-ec" - - | - ldconfig - {{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }} - {{- include "public.prepare-access-API" . | nindent 12 }} - until nslookup ${HOSTNAME}-8551.default.svc; do echo waiting for kubernetes service; sleep 2; done - curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${HOSTNAME}-8551 -o /tmp/service.txt - export CLUSTER_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort') - until nslookup ${HOSTNAME}-8552.default.svc; do echo waiting for kubernetes service; sleep 2; done - curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${HOSTNAME}-8552 -o /tmp/service.txt - export HEALTH_CHECK_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort') - echo "export CLUSTER_ANNOUNCE_PORT=${CLUSTER_ANNOUNCE_PORT}" > /etc/profile.d/announceinfo.sh - echo "export HEALTH_CHECK_ANNOUNCE_PORT=${HEALTH_CHECK_ANNOUNCE_PORT}" >> /etc/profile.d/announceinfo.sh - chmod 0755 /etc/profile.d/announceinfo.sh - - sed -Ei -c "s|NODE_IP_LOCATION|${NODE_IP?}|g" /opt/tsg/sapp/tsgconf/main.conf - sed -Ei -c "s|CLUSTER_ANNOUNCE_PORT_LOCATION|${CLUSTER_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf - sed -Ei -c "s|HEALTH_CHECK_ANNOUNCE_PORT_LOCATION|${HEALTH_CHECK_ANNOUNCE_PORT?}|g" /opt/tsg/sapp/tsgconf/main.conf - {{- end }} - {{- if eq .Values.debug.firewall.enable_prestart_script .Values.define_enable_val_yes }} - echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is: - cat /opt/tsg/scripts/prestart.sh - - chmod 0755 /opt/tsg/scripts/prestart.sh - source /opt/tsg/scripts/prestart.sh - - echo PRESTART.sh has been exec...... - {{- end }} - {{- if eq .Values.debug.firewall.enable_interactive_startup .Values.define_enable_val_yes }} - while true; do sleep 10;done - {{- else }} - exec /opt/tsg/sapp/sapp - {{- end }} - ports: - - containerPort: 51218 - {{- if eq .Values.dos_protector.enable .Values.define_enable_val_yes }} - - containerPort: 8551 - - containerPort: 8552 - {{- end }} - env: - - name: DEPLOYMENT_NAME - value: {{ .Release.Name }}-firewall - - name: MRZCPD_CTRLMSG_LISTEN_ADDR - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: OVERRIDE_SLED_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - securityContext: - privileged: true -{{- if eq .Values.debug.firewall.enable_liveness_probe .Values.define_enable_val_yes }} - livenessProbe: - tcpSocket: - port: 51218 - failureThreshold: 1 - timeoutSeconds: 10 - startupProbe: - tcpSocket: - port: 51218 - failureThreshold: 90 - periodSeconds: 10 -{{- end }} - - volumeMounts: - - name: journal-volume - mountPath: /run/systemd/journal - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_sn.json" - subPath: "tsg_sn.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/plug/conflist.inf" - subPath: "sapp/conflist.inf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/etc/gdev.conf" - subPath: "sapp/gdev.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/tsgconf/main.conf" - subPath: "sapp/main.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/tsgconf/maat.conf" - subPath: "sapp/maat.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/etc/sapp.toml" - subPath: "sapp/sapp.toml" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/etc/send_raw_pkt.conf" - subPath: "sapp/send_raw_pkt.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_device_tag.json" - subPath: "sapp/tsg_device_tag.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/etc/vlan_flipping_map.conf" - subPath: "sapp/vlan_flipping_map.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/plug/business/firewall/firewall.inf" - subPath: "sapp/firewall.inf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/etc/necessary_plug_list.conf" - subPath: "sapp/necessary_plug_list.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/conf/http/http_main.conf" - subPath: "sapp/http_main.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/conf/mail/mail.conf" - subPath: "sapp/mail.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/conf/ssl/ssl_main.conf" - subPath: "sapp/ssl_main.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/stellar_plugin/spec.toml" - subPath: "sapp/spec.toml" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/tsgconf/firewall_l7_protocol.conf" - subPath: "sapp/firewall_l7_protocol.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/tsgconf/firewall_logger_transmitter_schema.json" - subPath: "sapp/firewall_logger_transmitter_schema.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/sapp/etc/sapp_log.conf" - subPath: "sapp/sapp_log.conf" - - name: firewall-log - mountPath: /opt/tsg/sapp/log - - name: metrics-json-dir - mountPath: "/opt/tsg/sapp/metrics" - {{- if eq .Values.debug.firewall.enable_prestart_script .Values.define_enable_val_yes }} - - name: prestart-dir - mountPath: /tmp/prestart - - name: firewall-prestart - mountPath: /opt/tsg/scripts/prestart.sh - {{- end }} - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - {{- if eq .Values.debug.firewall.enable_mount_host_filesystem .Values.define_enable_val_yes }} - - name: host-root - mountPath: /host - {{- end }} - {{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }} - {{- include "public.license-support.dev-bus-usb-volume-mount" . | nindent 8 }} - {{- include "public.license-support.dev-shm-volume-mount" . | nindent 8 }} - - - name: fieldstat-exporter - image: "registry.gdnt-cloud.website/tsg-firewall:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - ldconfig - python3 /opt/tsg/framework/bin/fieldstat_exporter.py prometheus -p 9010 -d /opt/tsg/sapp/metrics - ports: - - containerPort: 9010 - securityContext: - privileged: true - livenessProbe: - tcpSocket: - port: 9010 - failureThreshold: 1 - timeoutSeconds: 10 - startupProbe: - tcpSocket: - port: 9010 - failureThreshold: 5 - periodSeconds: 10 - volumeMounts: - - name: metrics-json-dir - mountPath: "/opt/tsg/sapp/metrics" - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - initContainers: - - name: init-default-svc - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done - - - name: init-packet-io-engine-ready - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - - name: firewall-init - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - cp -r /opt/tsg/configs/* /opt/tsg/shared-configs/ - {{- include "public.prepare-access-API" . | nindent 12 }} - {{- include "public.serialize-node-annotations" . | nindent 12 }} - securityContext: - privileged: true - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: shared-configs-volume - mountPath: /opt/tsg/shared-configs - - name: firewall-configs-volume - mountPath: /opt/tsg/configs/sapp - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - volumes: - - name: journal-volume - hostPath: - path: /run/systemd/journal - type: Directory - - name: firewall-configs-volume - configMap: - name: firewall-{{ .Release.Name }} - - name: shared-configs-volume - emptyDir: {} - - name: metrics-json-dir - emptyDir: {} - - name: firewall-log - hostPath: - path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/sapp/ - {{- if eq .Values.debug.firewall.enable_prestart_script .Values.define_enable_val_yes }} - - name: prestart-dir - hostPath: - path: /etc/tsg-os/{{ .Release.Name }}/ - type: DirectoryOrCreate - - name: firewall-prestart - hostPath: - {{- if .Values.debug.firewall.prestart_script }} - path: {{ .Values.debug.firewall.prestart_script }} - {{- else }} - path: /etc/tsg-os/{{ .Release.Name }}/firewall_prestart_script.sh - {{- end }} - type: FileOrCreate - {{- end }} - {{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }} - {{- include "public.sync-host-timezone.volume" . | nindent 6 }} - {{- if eq .Values.debug.firewall.enable_mount_host_filesystem .Values.define_enable_val_yes }} - - name: host-root - hostPath: - path: / - {{- end }} - {{- include "public.license-support.dev-bus-usb-volume" . | nindent 6 }} - {{- include "public.license-support.dev-shm-volume" . | nindent 6 }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/deployment-proxy.yaml b/ansible/roles/traffic-engine/files/helm/templates/deployment-proxy.yaml deleted file mode 100644 index 605b2d73..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/deployment-proxy.yaml +++ /dev/null @@ -1,358 +0,0 @@ -{{- if and (eq .Values.proxy.enable .Values.define_enable_val_yes) (ge (len .Values.tfe_affinity) 1) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Release.Name }}-proxy - labels: - app: {{ .Release.Name }} - component: proxy - annotations: - reloader.stakater.com/auto: "true" - -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Release.Name }}-proxy - strategy: - type: Recreate - template: - metadata: - labels: - app: {{ .Release.Name }}-proxy - vsysId: "{{ .Values.vsys_id }}" - serviceFunction: {{ .Release.Name }} - component: proxy - annotations: - prometheus.io/port: "9003" - prometheus.io/scrape: "true" - - spec: - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule - serviceAccountName: {{ .Release.Name }} - containers: - - name: proxy - image: "registry.gdnt-cloud.website/tsg-proxy:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - workingDir: /opt/tsg/tfe - command: - - "bash" - - "-ec" - - | - ldconfig - {{- if eq .Values.debug.proxy.enable_prestart_script .Values.define_enable_val_yes }} - echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is: - cat /opt/tsg/scripts/prestart.sh - - chmod 0755 /opt/tsg/scripts/prestart.sh - source /opt/tsg/scripts/prestart.sh - - echo PRESTART.sh has been exec...... - {{- end }} - {{- if eq .Values.debug.proxy.enable_interactive_startup .Values.define_enable_val_yes }} - while true; do sleep 10;done - {{- else }} - exec /opt/tsg/tfe/bin/tfe - {{- end }} - ports: - - containerPort: 9001 - env: - - name: DEPLOYMENT_NAME - value: {{ .Release.Name }}-proxy - - name: MRZCPD_CTRLMSG_LISTEN_ADDR - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: OVERRIDE_SLED_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - securityContext: - privileged: true -{{- if eq .Values.debug.proxy.enable_liveness_probe .Values.define_enable_val_yes }} - livenessProbe: - tcpSocket: - port: 9001 - failureThreshold: 1 - timeoutSeconds: 10 - startupProbe: - tcpSocket: - port: 9001 - failureThreshold: 30 - periodSeconds: 10 -{{- end }} - volumeMounts: - - name: journal-volume - mountPath: /run/systemd/journal - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_sn.json" - subPath: "tsg_sn.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/tfe/conf/tfe/tfe.conf" - subPath: "proxy/tfe.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_device_tag.json" - subPath: "proxy/tsg_device_tag.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/tfe/conf/tfe/zlog.conf" - subPath: "proxy/tfe_log.conf" - - name: proxy-log - mountPath: /opt/tsg/tfe/log - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - {{- if eq .Values.debug.proxy.enable_prestart_script .Values.define_enable_val_yes }} - - name: prestart-dir - mountPath: /tmp/prestart - - name: proxy-prestart - mountPath: /opt/tsg/scripts/prestart.sh - {{- end }} - {{- if eq .Values.debug.proxy.enable_mount_host_filesystem .Values.define_enable_val_yes }} - - name: host-root - mountPath: /host - {{- end }} - {{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }} - {{- include "public.license-support.dev-bus-usb-volume-mount" . | nindent 8 }} - - - name: certstore - image: "registry.gdnt-cloud.website/tsg-certstore:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - workingDir: /opt/tsg/certstore - command: - - "bash" - - "-ec" - - | - exec /opt/tsg/certstore/bin/certstore - securityContext: - privileged: true - ports: - - containerPort: 9002 - env: - - name: OVERRIDE_SLED_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - volumeMounts: - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_sn.json" - subPath: "tsg_sn.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/certstore/conf/cert_store.ini" - subPath: "proxy/cert_store.ini" - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_device_tag.json" - subPath: "proxy/tsg_device_tag.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/certstore/conf/zlog.conf" - subPath: "proxy/certstore_log.conf" - - name: certstore-log - mountPath: /opt/tsg/certstore/logs - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - - name: cert-redis - image: "registry.gdnt-cloud.website/tsg-certstore:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: ["/usr/bin/redis-server", "/etc/cert-redis.conf"] - securityContext: - privileged: true - volumeMounts: - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - - name: merged-exporter - image: "quay.io/rebuy/exporter-merger:v0.2.0" - imagePullPolicy: Never - env: - - name: MERGER_URLS - value: http://127.0.0.1:9001/metrics http://127.0.0.1:9002/metrics - - name: MERGER_PORT - value: "9003" - ports: - - containerPort: 9003 - - initContainers: - - name: init-default-svc - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done - - - name: init-packet-io-engine-ready - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - - name: proxy-init - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ecx" - - | - mount -o remount,rw /sys - # disable rpfilter - sysctl -w net.ipv4.conf.all.rp_filter=0 - sysctl -w net.ipv4.conf.default.rp_filter=0 - - # fs - sysctl -w fs.file-max=1048576 - sysctl -w net.core.somaxconn=131072 - - # tcp options about TIME_WAIT - sysctl -w net.ipv4.tcp_fin_timeout=10 - sysctl -w net.ipv4.tcp_tw_reuse=1 - sysctl -w net.ipv4.tcp_max_tw_buckets=4096 - sysctl -w net.ipv4.tcp_max_syn_backlog=131072 - - # bbr - sysctl -w net.ipv4.tcp_congestion_control=bbr - - # tcp feature - sysctl -w net.ipv4.tcp_ecn=0 - sysctl -w net.ipv4.tcp_sack=1 - sysctl -w net.ipv4.tcp_timestamps=1 - - # disable tcp windows scaling for kernel bugs - sysctl -w net.ipv4.tcp_window_scaling=0 - - ip tuntap add dev tap0 mode tap multi_queue - /usr/sbin/ip link set tap0 address fe:65:b7:03:50:bd - /usr/sbin/ip link set tap0 up - /usr/sbin/ip addr flush dev tap0 - /usr/sbin/ip addr add 172.16.241.2/30 dev tap0 - /usr/sbin/ip neigh flush dev tap0 - /usr/sbin/ip neigh add 172.16.241.1 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent - /usr/sbin/ip6tables -A INPUT -i tap0 -m bpf --bytecode '17,48 0 0 0,84 0 0 240,21 0 13 96,48 0 0 6,21 0 11 6,40 0 0 4,37 0 9 24,48 0 0 52,84 0 0 240,116 0 0 2,53 0 5 24,48 0 0 60,21 0 3 88,48 0 0 61,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 - /usr/sbin/iptables -A INPUT -i tap0 -m bpf --bytecode '18,48 0 0 0,84 0 0 240,21 0 14 64,48 0 0 9,21 0 12 6,40 0 0 6,69 10 0 8191,177 0 0 0,80 0 0 12,84 0 0 240,116 0 0 2,53 0 5 24,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 - /usr/sbin/ip rule add iif tap0 tab 100 - /usr/sbin/ip route add local default dev lo table 100 - /usr/sbin/ip rule add fwmark 0x65 lookup 101 - /usr/sbin/ip route add default dev tap0 via 172.16.241.1 table 101 - /usr/sbin/ip addr add fd00::02/64 dev tap0 - /usr/sbin/ip -6 route add default via fd00::01 - /usr/sbin/ip -6 rule add iif tap0 tab 102 - /usr/sbin/ip -6 route add local default dev lo table 102 - /usr/sbin/ip -6 neigh add fd00::01 lladdr 00:0e:c6:d6:72:c1 dev tap0 nud permanent - - #decrypted traffic steering - /usr/sbin/ip tuntap add dev tap_c mode tap multi_queue - /usr/sbin/ip tuntap add dev tap_s mode tap multi_queue - - /usr/sbin/ip link set tap_c address 80:61:5f:0f:97:e5 - /usr/sbin/ip link set tap_s address 80:61:5f:0f:97:e6 - - /usr/sbin/ip link set tap_c up - /usr/sbin/ip link set tap_s up - - /usr/sbin/ethtool --offload tap_c rx off tx off - /usr/sbin/ethtool --offload tap_s rx off tx off - - /usr/sbin/ip link set tap_c up - /usr/sbin/ip link set tap_s up - /usr/sbin/ip addr flush dev tap_c - /usr/sbin/ip addr flush dev tap_s - - /usr/sbin/ip addr add 2.2.2.2/24 dev tap_c - /usr/sbin/ip addr add 3.3.3.3/24 dev tap_s - /usr/sbin/ip -4 neigh flush dev tap_c - /usr/sbin/ip -4 neigh flush dev tap_s - /usr/sbin/ip -4 neigh add 2.2.2.1 lladdr 80:61:5f:0f:97:e6 dev tap_c nud permanent - /usr/sbin/ip -4 neigh add 3.3.3.1 lladdr 80:61:5f:0f:97:e5 dev tap_s nud permanent - /usr/sbin/ip -4 rule add fwmark 0x11 lookup 111 - /usr/sbin/ip -4 rule add fwmark 0x22 lookup 222 - /usr/sbin/ip -4 route add default dev tap_c via 2.2.2.1 table 111 - /usr/sbin/ip -4 route add default dev tap_s via 3.3.3.1 table 222 - /usr/sbin/ip -4 rule add iif tap_c tab 100 - /usr/sbin/ip -4 rule add iif tap_s tab 100 - - /usr/sbin/ip addr add fd02::02/64 dev tap_c - /usr/sbin/ip addr add fd03::03/64 dev tap_s - /usr/sbin/ip -6 neigh flush dev tap_c - /usr/sbin/ip -6 neigh flush dev tap_s - /usr/sbin/ip -6 neigh add fd02::01 lladdr 80:61:5f:0f:97:e6 dev tap_c nud permanent - /usr/sbin/ip -6 neigh add fd03::01 lladdr 80:61:5f:0f:97:e5 dev tap_s nud permanent - /usr/sbin/ip -6 rule add fwmark 0x11 lookup 333 - /usr/sbin/ip -6 rule add fwmark 0x22 lookup 444 - /usr/sbin/ip -6 route add default dev tap_c via fd02::01 table 333 - /usr/sbin/ip -6 route add default dev tap_s via fd03::01 table 444 - /usr/sbin/ip -6 rule add iif tap_c tab 102 - /usr/sbin/ip -6 rule add iif tap_s tab 102 - - cp -r /opt/tsg/configs/* /opt/tsg/shared-configs/ - {{ include "public.prepare-access-API" . | nindent 12 }} - {{- include "public.serialize-node-annotations" . | nindent 12 }} - sed -Ei -c "s|DEVICE_ID_PLACE_HOLDER_MARK|${DEVICE_SN?}|g" /opt/tsg/shared-configs/proxy/tfe.conf - - securityContext: - privileged: true - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: shared-configs-volume - mountPath: /opt/tsg/shared-configs - - name: proxy-configs-volume - mountPath: /opt/tsg/configs/proxy - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - volumes: - - name: journal-volume - hostPath: - path: /run/systemd/journal - type: Directory - - name: proxy-configs-volume - configMap: - name: proxy-{{ .Release.Name }} - - name: shared-configs-volume - emptyDir: {} - - name: proxy-log - hostPath: - path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/tfe/ - - name: certstore-log - hostPath: - path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/certstore/ - {{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }} - {{- include "public.sync-host-timezone.volume" . | nindent 6 }} - {{- if eq .Values.debug.proxy.enable_prestart_script .Values.define_enable_val_yes }} - - name: prestart-dir - hostPath: - path: /etc/tsg-os/{{ .Release.Name }}/ - type: DirectoryOrCreate - - name: proxy-prestart - hostPath: - {{- if .Values.debug.proxy.prestart_script }} - path: {{ .Values.debug.proxy.prestart_script }} - {{- else }} - path: /etc/tsg-os/{{ .Release.Name }}/proxy_prestart_script.sh - {{- end }} - type: FileOrCreate - {{- end }} - {{- if eq .Values.debug.proxy.enable_mount_host_filesystem .Values.define_enable_val_yes }} - - name: host-root - hostPath: - path: / - {{- end }} - {{- include "public.license-support.dev-bus-usb-volume" . | nindent 6 }} - -{{- end }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/deployment-sce.yaml b/ansible/roles/traffic-engine/files/helm/templates/deployment-sce.yaml deleted file mode 100644 index 6db021ae..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/deployment-sce.yaml +++ /dev/null @@ -1,255 +0,0 @@ -{{- if eq .Values.service_chaining.enable .Values.define_enable_val_yes }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Release.Name }}-sce - labels: - app: {{ .Release.Name }} - component: service-chaining - annotations: - reloader.stakater.com/auto: "true" - -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Release.Name }}-service-chaining - strategy: - type: Recreate - template: - metadata: - labels: - app: {{ .Release.Name }}-service-chaining - vsysId: "{{ .Values.vsys_id }}" - serviceFunction: {{ .Release.Name }} - component: service-chaining - annotations: - prometheus.io/port: "9006" - prometheus.io/scrape: "true" - - spec: - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule - serviceAccountName: {{ .Release.Name }} - containers: - - name: sce - image: "registry.gdnt-cloud.website/tsg-sce:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - workingDir: /opt/tsg/sce - command: - - "bash" - - "-ec" - - | - ldconfig - {{- if eq .Values.debug.service_chaining.enable_prestart_script .Values.define_enable_val_yes }} - echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is: - cat /opt/tsg/scripts/prestart.sh - - chmod 0755 /opt/tsg/scripts/prestart.sh - source /opt/tsg/scripts/prestart.sh - - echo PRESTART.sh has been exec...... - {{- end }} - {{- if eq .Values.debug.service_chaining.enable_interactive_startup .Values.define_enable_val_yes }} - while true; do sleep 10;done - {{- else }} - exec /opt/tsg/sce/bin/sce - {{- end }} - ports: - - containerPort: 9006 - env: - - name: DEPLOYMENT_NAME - value: {{ .Release.Name }}-service-chaining - - name: MRZCPD_CTRLMSG_LISTEN_ADDR - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: OVERRIDE_SLED_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - securityContext: - privileged: true -{{- if eq .Values.debug.service_chaining.enable_liveness_probe .Values.define_enable_val_yes }} - livenessProbe: - tcpSocket: - port: 9006 - failureThreshold: 1 - timeoutSeconds: 10 - startupProbe: - tcpSocket: - port: 9006 - failureThreshold: 30 - periodSeconds: 10 -{{- end }} - volumeMounts: - - name: journal-volume - mountPath: /run/systemd/journal - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_sn.json" - subPath: "tsg_sn.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/sce/conf/sce.conf" - subPath: "sce/sce.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_device_tag.json" - subPath: "sce/tsg_device_tag.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/sce/conf/zlog.conf" - subPath: "sce/sce_log.conf" - - name: sce-log - mountPath: /opt/tsg/sce/log - - name: bfdd-unix-socket - mountPath: /run/frr - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - {{- if eq .Values.debug.service_chaining.enable_prestart_script .Values.define_enable_val_yes }} - - name: prestart-dir - mountPath: /tmp/prestart - - name: service-chaining-prestart - mountPath: /opt/tsg/scripts/prestart.sh - {{- end }} - {{- if eq .Values.debug.service_chaining.enable_mount_host_filesystem .Values.define_enable_val_yes }} - - name: host-root - mountPath: /host - {{- end }} - {{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }} - - - name: bfdd - image: "registry.gdnt-cloud.website/tsg-bfdd:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - workingDir: /opt/tsg/bfdd - command: - - "bash" - - "-ec" - - | - exec /opt/tsg/bfdd/bin/bfdd -u root -g root - env: - - name: MRZCPD_CTRLMSG_LISTEN_ADDR - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: OVERRIDE_SLED_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - securityContext: - privileged: true - volumeMounts: - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_sn.json" - subPath: "tsg_sn.json" - - name: bfdd-log - mountPath: /opt/tsg/bfdd/log - - name: bfdd-unix-socket - mountPath: /run/frr - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - initContainers: - - name: init-default-svc - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done - - - name: init-packet-io-engine-ready - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - - name: service-chaining-init - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ecx" - - | - cp -r /opt/tsg/configs/* /opt/tsg/shared-configs/ - {{- include "public.prepare-access-API" . | nindent 12 }} - {{- include "public.serialize-node-annotations" . | nindent 12 }} - sed -Ei -c "s|DEVICE_ID_PLACE_HOLDER_MARK|${DEVICE_SN?}|g" /opt/tsg/shared-configs/sce/sce.conf - {{- if .Values.sce_config.vxlan_config.endpoint_nic }} - ip tuntap add dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} mode tap - ip link set dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} up - ip route add {{ .Values.sce_config.vxlan_config.endpoint_netip }}/{{ .Values.sce_config.vxlan_config.endpoint_mask }} dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} table 10 - {{- if .Values.sce_config.vxlan_config.endpoint_gateway }} - ip route add default via {{ .Values.sce_config.vxlan_config.endpoint_gateway }} table 10 - {{- end }} - ip a a {{ .Values.sce_config.vxlan_config.endpoint_ip }}/{{ .Values.sce_config.vxlan_config.endpoint_mask }} dev {{ .Values.sce_config.vxlan_config.endpoint_nic }} noprefixroute - ip rule add dport 3784 table 10 - iptables -t mangle -A PREROUTING -p udp --dport 3784 -j TTL --ttl-set 255 - {{- end }} - securityContext: - privileged: true - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: shared-configs-volume - mountPath: /opt/tsg/shared-configs - - name: sce-configs-volume - mountPath: /opt/tsg/configs/sce - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - volumes: - - name: journal-volume - hostPath: - path: /run/systemd/journal - type: Directory - - name: sce-configs-volume - configMap: - name: sce-{{ .Release.Name }} - - name: shared-configs-volume - emptyDir: {} - - name: sce-log - hostPath: - path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/sce/ - - name: bfdd-log - hostPath: - path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/bfdd/ - - name: bfdd-unix-socket - emptyDir: {} - {{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }} - {{- include "public.sync-host-timezone.volume" . | nindent 6 }} - {{- if eq .Values.debug.service_chaining.enable_prestart_script .Values.define_enable_val_yes }} - - name: prestart-dir - hostPath: - path: /etc/tsg-os/{{ .Release.Name }}/ - type: DirectoryOrCreate - - name: service-chaining-prestart - hostPath: - {{- if .Values.debug.service_chaining.prestart_script }} - path: {{ .Values.debug.service_chaining.prestart_script }} - {{- else }} - path: /etc/tsg-os/{{ .Release.Name }}/service_chaining_prestart_script.sh - {{- end }} - type: FileOrCreate - {{- end }} - {{- if eq .Values.debug.service_chaining.enable_mount_host_filesystem .Values.define_enable_val_yes }} - - name: host-root - hostPath: - path: / - {{- end }} -{{- end }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/deployment-shaping.yaml b/ansible/roles/traffic-engine/files/helm/templates/deployment-shaping.yaml deleted file mode 100644 index 8a8bf5c7..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/deployment-shaping.yaml +++ /dev/null @@ -1,264 +0,0 @@ -{{- if eq .Values.shaping.enable .Values.define_enable_val_yes }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Release.Name }}-shaping - labels: - app: {{ .Release.Name }} - component: shaping - annotations: - reloader.stakater.com/auto: "true" - -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Release.Name }}-shaping - strategy: - type: Recreate - template: - metadata: - labels: - app: {{ .Release.Name }}-shaping - vsysId: "{{ .Values.vsys_id }}" - serviceFunction: {{ .Release.Name }} - component: shaping - dynamic-hostports: '8551.8552' - annotations: - prometheus.io/port: "9007" - prometheus.io/scrape: "true" - - spec: - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule - serviceAccountName: {{ .Release.Name }} - containers: - - name: shaping - image: "registry.gdnt-cloud.website/tsg-shaping:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - workingDir: /opt/tsg/shaping_engine - command: - - "bash" - - "-ec" - - | - ldconfig - {{- include "public.prepare-access-API" . | nindent 12 }} - until nslookup ${MY_POD_NAME}-8551.default.svc; do echo waiting for kubernetes service; sleep 2; done - curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${MY_POD_NAME}-8551 -o /tmp/service.txt - export CLUSTER_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort') - until nslookup ${MY_POD_NAME}-8552.default.svc; do echo waiting for kubernetes service; sleep 2; done - curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/${MY_POD_NAME}-8552 -o /tmp/service.txt - export HEALTH_CHECK_ANNOUNCE_PORT=$(cat /tmp/service.txt | jq '.spec.ports[] | .nodePort') - echo "export CLUSTER_ANNOUNCE_PORT=${CLUSTER_ANNOUNCE_PORT}" > /etc/profile.d/announceinfo.sh - echo "export HEALTH_CHECK_ANNOUNCE_PORT=${HEALTH_CHECK_ANNOUNCE_PORT}" >> /etc/profile.d/announceinfo.sh - chmod 0755 /etc/profile.d/announceinfo.sh - - sed -Ei -c "s|NODE_IP_LOCATION|${NODE_IP?}|g" /opt/tsg/shaping_engine/conf/shaping.conf - sed -Ei -c "s|CLUSTER_ANNOUNCE_PORT_LOCATION|${CLUSTER_ANNOUNCE_PORT?}|g" /opt/tsg/shaping_engine/conf/shaping.conf - sed -Ei -c "s|HEALTH_CHECK_ANNOUNCE_PORT_LOCATION|${HEALTH_CHECK_ANNOUNCE_PORT?}|g" /opt/tsg/shaping_engine/conf/shaping.conf - {{- if eq .Values.debug.shaping.enable_prestart_script .Values.define_enable_val_yes }} - echo WARNING: PRESTART.sh is enable, the commands in PRESTART.sh is: - cat /opt/tsg/scripts/prestart.sh - - chmod 0755 /opt/tsg/scripts/prestart.sh - source /opt/tsg/scripts/prestart.sh - - echo PRESTART.sh has been exec...... - {{- end }} - {{- if eq .Values.debug.shaping.enable_interactive_startup .Values.define_enable_val_yes }} - while true; do sleep 10;done - {{- else }} - exec /opt/tsg/shaping_engine/bin/shaping_engine - {{- end }} - ports: - - containerPort: 8551 - - containerPort: 8552 - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: DEPLOYMENT_NAME - value: {{ .Release.Name }}-shaping - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: MRZCPD_CTRLMSG_LISTEN_ADDR - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: OVERRIDE_SLED_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP -{{- if eq .Values.debug.shaping.enable_liveness_probe .Values.define_enable_val_yes }} - livenessProbe: - tcpSocket: - port: 8552 - failureThreshold: 1 - timeoutSeconds: 10 - startupProbe: - tcpSocket: - port: 8552 - failureThreshold: 30 - periodSeconds: 10 -{{- end }} - securityContext: - privileged: true - volumeMounts: - - name: journal-volume - mountPath: /run/systemd/journal - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_sn.json" - subPath: "tsg_sn.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/shaping_engine/conf/shaping.conf" - subPath: "shaping/shaping.conf" - - name: shared-configs-volume - mountPath: "/opt/tsg/etc/tsg_device_tag.json" - subPath: "shaping/tsg_device_tag.json" - - name: shared-configs-volume - mountPath: "/opt/tsg/shaping_engine/conf/zlog.conf" - subPath: "shaping/shaping_log.conf" - - name: shaping-log - mountPath: /opt/tsg/shaping_engine/log - - name: metrics-json-dir - mountPath: "/opt/tsg/shaping_engine/metric" - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - {{- if eq .Values.debug.shaping.enable_prestart_script .Values.define_enable_val_yes }} - - name: prestart-dir - mountPath: /tmp/prestart - - name: shaping-prestart - mountPath: /opt/tsg/scripts/prestart.sh - {{- end }} - {{- if eq .Values.debug.shaping.enable_mount_host_filesystem .Values.define_enable_val_yes }} - - name: host-root - mountPath: /host - {{- end }} - {{- include "traffic-engine.mount.mrzcpd" . | nindent 8 }} - - - name: fieldstat-exporter - image: "registry.gdnt-cloud.website/tsg-shaping:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - ldconfig - python3 /opt/tsg/framework/bin/fieldstat_exporter.py prometheus -p 9007 -d /opt/tsg/shaping_engine/metric - ports: - - containerPort: 9007 - securityContext: - privileged: true - livenessProbe: - tcpSocket: - port: 9007 - failureThreshold: 1 - timeoutSeconds: 10 - startupProbe: - tcpSocket: - port: 9007 - failureThreshold: 5 - periodSeconds: 10 - volumeMounts: - - name: metrics-json-dir - mountPath: "/opt/tsg/shaping_engine/metric" - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - initContainers: - - name: init-default-svc - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - until nslookup kubernetes.default.svc; do echo waiting for kubernetes service; sleep 2; done - - - name: init-packet-io-engine-ready - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ec" - - | - until [ $(curl -s -o /dev/null -w "%{http_code}" http://${NODE_IP}:9086/probe) -eq 200 ]; do echo waiting for packet-io-engine ready; sleep 2; done - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - - name: shaping-init - image: "registry.gdnt-cloud.website/tsg-init:{{ .Chart.AppVersion }}" - imagePullPolicy: Never - command: - - "bash" - - "-ecx" - - | - cp -r /opt/tsg/configs/* /opt/tsg/shared-configs/ - {{- include "public.prepare-access-API" . | nindent 12 }} - {{- include "public.serialize-node-annotations" . | nindent 12 }} - sed -Ei -c "s|DEVICE_ID_PLACE_HOLDER_MARK|${DEVICE_SN?}|g" /opt/tsg/shared-configs/shaping/shaping.conf - securityContext: - privileged: true - env: - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - volumeMounts: - - name: shared-configs-volume - mountPath: /opt/tsg/shared-configs - - name: shaping-configs-volume - mountPath: /opt/tsg/configs/shaping - {{- include "public.sync-host-timezone.volume-mount" . | nindent 8 }} - - volumes: - - name: journal-volume - hostPath: - path: /run/systemd/journal - type: Directory - - name: shaping-configs-volume - configMap: - name: shaping-{{ .Release.Name }} - - name: shared-configs-volume - emptyDir: {} - - name: metrics-json-dir - emptyDir: {} - - name: shaping-log - hostPath: - path: /var/log/traffic-engine/traffic-engine-{{ .Release.Name }}/shaping_engine/ - {{- include "traffic-engine.volume.mrzcpd" . | nindent 6 }} - {{- include "public.sync-host-timezone.volume" . | nindent 6 }} - {{- if eq .Values.debug.shaping.enable_prestart_script .Values.define_enable_val_yes }} - - name: prestart-dir - hostPath: - path: /etc/tsg-os/{{ .Release.Name }}/ - type: DirectoryOrCreate - - name: shaping-prestart - hostPath: - {{- if .Values.debug.shaping.prestart_script }} - path: {{ .Values.debug.shaping.prestart_script }} - {{- else }} - path: /etc/tsg-os/{{ .Release.Name }}/shaping_prestart_script.sh - {{- end }} - type: FileOrCreate - {{- end }} - {{- if eq .Values.debug.shaping.enable_mount_host_filesystem .Values.define_enable_val_yes }} - - name: host-root - hostPath: - path: / - {{- end }} -{{- end }} diff --git a/ansible/roles/traffic-engine/files/helm/templates/serviceaccount.yaml b/ansible/roles/traffic-engine/files/helm/templates/serviceaccount.yaml deleted file mode 100644 index b152de2f..00000000 --- a/ansible/roles/traffic-engine/files/helm/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - vsysId: "{{ .Values.vsys_id }}" - serviceFunction: {{ .Release.Name }} - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} diff --git a/ansible/roles/traffic-engine/files/helm/values.yaml b/ansible/roles/traffic-engine/files/helm/values.yaml deleted file mode 100644 index a685e11e..00000000 --- a/ansible/roles/traffic-engine/files/helm/values.yaml +++ /dev/null @@ -1,256 +0,0 @@ -external_resources: - cm: - ## @param external_resources.cm.connection value in [direct, local_cache], default: direct - ## - connectivity: direct - direct: - address: 10.X.X.X - port: 7002 - local_cache: - cache_name: tsg_traffic_cm_local_cache_1 - port_num: 1 - sd: - ## @param external_resources.cm.connection value in [direct, local_cache], default: local_cache - ## - enable: no - connectivity: direct - db_index: 0 - policy_effect_interval_ms: 100 - policy_garbage_collection_interval_ms: 30000 - policy_update_check_interval_ms: 100 - direct: - address: 10.1.1.1 - port: 7002 - local_cache: - cache_name: tsg_traffic_sd_local_cache_1 - - - olap: - kafka_brokers: - sasl_username: - sasl_password: - addresses: - - address: - port: - udp_collectors: - enable: no - addresses: - - address: - port: - - -device: - tags: - - key1: value1 - - key2: value2 - -session_id_generator: - snowflake_worker_id_base: 1 - snowflake_worker_id_offset: 1 - -firewall: - enable: yes - enable_smartoffload: no - logs: - enable: yes - contains_app_id: - enable: yes - contains_dns_resource_record: - enable: yes - ringbuf: - size: 100000 - -appsketch: - enable: yes - qdpi_detector: yes - context_based_detector: yes - -transaction_record: - enable_http: yes - enable_dns: yes - enable_mail: yes - -session_record: - enable: yes - -file_stream_record: - enable: yes - -session_manager: - tcp_session_max: 20021 - tcp_session_unordered_pkt_max: 128 - tcp_session_timeout_in_sec: 30 - udp_session_timeout_in_sec: 60 - tcp_session_opening_timeout_in_sec: 60 - tcp_session_closing_timeout_in_sec: 30 - udp_session_max: 5021 - tcp_duplicated_packet_filter: yes - udp_duplicated_packet_filter: yes - inject_duplicated_packet_filter: yes - -traffic_mirror: - enable_raw_traffic: yes - enable_decrypted_traffic: yes - -packet_capture: - enable: yes - -proxy: - enable: yes - -voip_record: - enable_sip: yes - enable_rtp: yes - -overload_protection: - enable: yes - detect_interval_in_ms: 500 - detect_smooth_avg_window: 2 - detect_threshold_cpu_usages: 90 - recovery_detect_cycle_in_sec: 30 - -vsys_id: 1 - -etherfabric_settings: - keepalive: - ip: 10.254.19.1 - mask: 255.255.255.0 - -sapp_affinity: [5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76] -tfe_affinity: [77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92] -sce_affinity: [92] -shaping_affinity: [93] -pktio_affinity: [94] -inject_adapter_affinity: [95] - -tfe_rps_mask: "00000000" - -nic_policy_log_name: eth0 -nic_raw_name: eth0 -nic_mirror_name: - firewall: eth0 - proxy: eth0 - -define_enable_val_yes: yes -define_enable_val_no: no - -coredump: - format: "minidump" - collect: "local" - sentry_url: "www.testing.com" - -session_id_generator: - snowflake_worker_id_base: 1 - snowflake_worker_id_offset: 1 - -decoders: - DNS: yes - QUIC: yes - HTTP: yes - HTTP_GZIP: yes - MAIL: yes - MAIL_BASE64: yes - FTP: yes - SSL: yes - SSL_CERT: yes - SSL_JA3: yes - RTP: yes - SIP: yes - SSH: yes - SOCKS: yes - STRATUM: yes - RDP: yes - DTLS: yes - SSL_DETAIN_FRAG_CHELLO: no - -configHash: "defaulthash" - -shaping: - enable: no -inject_adapter: - enable: yes - -service_chaining: - enable: yes - -sce_config: - steering_nic: nf_0_sce - vxlan_config: - endpoint_nic: ep_0_sce_l3 - endpoint_ip: 127.0.0.1 - endpoint_gateway: 127.0.0.1 - endpoint_netip: 127.0.0.1 - endpoint_mask: 24 - vlan_config: - endpoint_nic: ep_0_sce_l2 - -proxy_config: - proxy_nic: nf_1_proxy - -sid: - firewall: 1000 - proxy: 1001 - sce: 1002 - shaping: 1003 - inject_adapter: 1064 - -shaping_config: - shaping_nic: nf_1_shaping_engine - -inject_adapter_config: - inject_adapter_nic: nf_1_shaping_engine - -app_symbol_index: 1 -distmode: 2 - -debug: - firewall: - enable_liveness_probe: yes - enable_interactive_startup: no - enable_prestart_script: no - enable_mount_host_filesystem: no - #default: /etc/tsg-os/${service_function_name}/firewall_prestart_script.sh - prestart_script: "" - proxy: - enable_liveness_probe: yes - enable_interactive_startup: no - enable_prestart_script: no - enable_mount_host_filesystem: no - #default: /etc/tsg-os/${service_function_name}/proxy_prestart_script.sh - prestart_script: "" - service_chaining: - enable_liveness_probe: yes - enable_interactive_startup: no - enable_prestart_script: no - enable_mount_host_filesystem: no - #default: /etc/tsg-os/${service_function_name}/service_chaining_prestart_script.sh - prestart_script: "" - shaping: - enable_liveness_probe: yes - enable_interactive_startup: no - enable_prestart_script: no - enable_mount_host_filesystem: no - #default: /etc/tsg-os/${service_function_name}/shaping_prestart_script.sh - prestart_script: "" - inject_adapter: - enable_liveness_probe: yes - enable_interactive_startup: no - enable_prestart_script: no - enable_mount_host_filesystem: no - #default: /etc/tsg-os/${service_function_name}/shaping_prestart_script.sh - prestart_script: "" - -session_flags: - enable: yes - -dos_protector: - enable: no - -stat_policy_enforcer: - enable: yes - -traffic_sketch: - enable: yes - -policy_sketch: - enable: yes \ No newline at end of file