commit 6478678b4550d8d7e5c34d6821fc5859d88f5702 Author: fumingwei Date: Mon Feb 1 14:50:45 2021 +0800 新增kernel-ml,sapp,mrzcpd,mesaframework,解析解析层插件的相关dpi基础安装包 diff --git a/install_config/group_vars/server_as_tun_mode.yml b/install_config/group_vars/server_as_tun_mode.yml new file mode 100644 index 0000000..93466ad --- /dev/null +++ b/install_config/group_vars/server_as_tun_mode.yml @@ -0,0 +1,64 @@ +######################################### +#####0: Pcap; 1: Inline_device; 5:ATCA_VXLAN; +tsg_access_type: 0 +#####0: Tun_mode; 1: normal; +tsg_running_type: 0 + + +######################################### +#Sapp Performance Config +#如果tsg_access_type=0,sapp跑在pcap模式,则以下配置可忽略 +sapp: + worker_threads: 23 + send_only_threads_max: 1 + bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 + inbound_route_dir: 1 + +######################################### +#Sapp Double-Arm Config +packet_io: + internal_interface: eth2 + external_interface: eth3 + + +######################################### +#Marsio Config +mrzcpd: + iocore: 39 + +mrtunnat: + lcore_id: 38 + + +######################################### +#ATCA Config +#下列配置只在tsg_access_type=4时生效 +ATCA_data_incoming: + ethname: enp1s0 + vf0_name: enp1s2 + vf1_name: enp1s2f1 + vf2_name: enp1s2f2 + +ATCA_VlanFlipping: + vlanID_1: 100 + vlanID_2: 101 + vlanID_3: 103 + vlanID_4: 104 + +#下列配置只在tsg_access_type=5时生效 +ATCA_VXLAN: + keepalive_ip: "10.254.19.1" + keepalive_mask: "255.255.255.252" + +######################################### +#Inline Device Config +inline_device_config: + keepalive_ip: 192.168.1.30 + keepalive_mask: 255.255.255.252 + data_incoming: eth5 + +######################################### + +sapp_prometheus_enable: 1 +sapp_prometheus_port: 9273 +sapp_prometheus_url_path: "/metrics" diff --git a/install_config/hosts b/install_config/hosts new file mode 100644 index 0000000..0fe8b50 --- /dev/null +++ b/install_config/hosts @@ -0,0 +1,45 @@ +################### +# For example # +################### +#变量device_id根据设备序号设置即可 +#变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置,其他环境可不填或直接删除变量 +# +#20.09版本新增APP部署 +#[app_global] +#0.0.0.0 + +#[server_as_tun_mode] +#1.1.1.1 device_id=device_1 +# +#[adc_mxn] +#10.3.72.1 +#10.3.72.2 +# +#[adc_mcn0] +#10.3.73.1 device_id=device_1 vvipv4_1=10.3.61.1 vvipv4_2=10.3.62.1 vvipv6_1=fc00::61:1 vvipv6_2=fc00::62:1 +#10.3.73.2 device_id=device_2 vvipv4_1=10.3.61.2 vvipv4_2=10.3.62.2 vvipv6_1=fc00::61:2 vvipv6_2=fc00::62:2 +# +#[adc_mcn1] +#10.3.74.1 device_id=device_1 +#10.3.74.2 device_id=device_2 +# +#[adc_mcn2] +#10.3.75.1 device_id=device_1 +#10.3.75.2 device_id=device_2 +# +#[adc_mcn3] +#10.3.76.1 device_id=device_1 +#10.3.76.2 device_id=device_2 + +#[app_global] +#[server_as_tun_mode] +#broken warning: +#10.4.52.71 +[adc_mcn0] +[adc_mcn1] +[adc_mcn2] +[adc_mcn3] +[app_global] +[server_as_tun_mode] + + diff --git a/roles/firewall/files/dns-2.0.9.b639626-2.el7.x86_64.rpm b/roles/firewall/files/dns-2.0.9.b639626-2.el7.x86_64.rpm new file mode 100644 index 0000000..38b04dc Binary files /dev/null and b/roles/firewall/files/dns-2.0.9.b639626-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm b/roles/firewall/files/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm new file mode 100644 index 0000000..8e8a92f Binary files /dev/null and b/roles/firewall/files/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/http-2.0.5.c61ad9a-2.el7.x86_64.rpm b/roles/firewall/files/http-2.0.5.c61ad9a-2.el7.x86_64.rpm new file mode 100644 index 0000000..2b6a7cf Binary files /dev/null and b/roles/firewall/files/http-2.0.5.c61ad9a-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm b/roles/firewall/files/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm new file mode 100644 index 0000000..1eace4e Binary files /dev/null and b/roles/firewall/files/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm b/roles/firewall/files/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm new file mode 100644 index 0000000..8284196 Binary files /dev/null and b/roles/firewall/files/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm differ diff --git a/roles/firewall/files/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm b/roles/firewall/files/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm new file mode 100644 index 0000000..7d92f28 Binary files /dev/null and b/roles/firewall/files/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm differ diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..054a1c2 --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: "copy firewall rpms to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "install firewall packages" + yum: + name: "{{ fw_packages }}" + state: present + skip_broken: yes + vars: + fw_packages: + - /tmp/ansible_deploy/dns-2.0.9.b639626-2.el7.x86_64.rpm + - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm + - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm + - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm + - /tmp/ansible_deploy/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm + - /tmp/ansible_deploy/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm + + diff --git a/roles/framework/files/framework.conf b/roles/framework/files/framework.conf new file mode 100644 index 0000000..446277c --- /dev/null +++ b/roles/framework/files/framework.conf @@ -0,0 +1 @@ +/opt/MESA/lib/ diff --git a/roles/framework/files/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm b/roles/framework/files/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm new file mode 100644 index 0000000..e217ac8 Binary files /dev/null and b/roles/framework/files/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm b/roles/framework/files/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm new file mode 100644 index 0000000..badbcb5 Binary files /dev/null and b/roles/framework/files/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm b/roles/framework/files/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm new file mode 100644 index 0000000..dd04541 Binary files /dev/null and b/roles/framework/files/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm b/roles/framework/files/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm new file mode 100644 index 0000000..5a45e4e Binary files /dev/null and b/roles/framework/files/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm b/roles/framework/files/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm new file mode 100644 index 0000000..8ffff2b Binary files /dev/null and b/roles/framework/files/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm b/roles/framework/files/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm new file mode 100644 index 0000000..8681621 Binary files /dev/null and b/roles/framework/files/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm b/roles/framework/files/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm new file mode 100644 index 0000000..448184a Binary files /dev/null and b/roles/framework/files/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm b/roles/framework/files/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm new file mode 100644 index 0000000..7c3ee89 Binary files /dev/null and b/roles/framework/files/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm b/roles/framework/files/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm new file mode 100644 index 0000000..7620c25 Binary files /dev/null and b/roles/framework/files/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm b/roles/framework/files/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm new file mode 100644 index 0000000..8c6b2e6 Binary files /dev/null and b/roles/framework/files/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/librdkafka-0.11.4-1.el7.x86_64.rpm b/roles/framework/files/librdkafka-0.11.4-1.el7.x86_64.rpm new file mode 100644 index 0000000..dd12e43 Binary files /dev/null and b/roles/framework/files/librdkafka-0.11.4-1.el7.x86_64.rpm differ diff --git a/roles/framework/files/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm b/roles/framework/files/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm new file mode 100644 index 0000000..d3d13db Binary files /dev/null and b/roles/framework/files/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm b/roles/framework/files/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm new file mode 100644 index 0000000..3ab7428 Binary files /dev/null and b/roles/framework/files/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm b/roles/framework/files/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm new file mode 100644 index 0000000..7b5a44b Binary files /dev/null and b/roles/framework/files/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm differ diff --git a/roles/framework/files/lz4-1.7.5-3.el7.x86_64.rpm b/roles/framework/files/lz4-1.7.5-3.el7.x86_64.rpm new file mode 100644 index 0000000..07035f1 Binary files /dev/null and b/roles/framework/files/lz4-1.7.5-3.el7.x86_64.rpm differ diff --git a/roles/framework/tasks/main.yml b/roles/framework/tasks/main.yml new file mode 100644 index 0000000..2735b5d --- /dev/null +++ b/roles/framework/tasks/main.yml @@ -0,0 +1,40 @@ +- name: "copy framework rpms to destination server" + synchronize: + src: "{{ role_path }}/files/" + dest: "/tmp/ansible_deploy/" + +- name: "install framework packages" + yum: + name: "{{ packages }}" + state: present + skip_broken: yes + vars: + packages: + - /tmp/ansible_deploy/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm + - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm + - /tmp/ansible_deploy/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm + - /tmp/ansible_deploy/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm + - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm + - /tmp/ansible_deploy/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm + +- name: "mkdir /etc/ld.so.conf.d/" + file: + path: /etc/ld.so.conf.d/ + state: directory + +- name: "copy framework.conf to destination server" + copy: + src: "{{ role_path }}/files/framework.conf" + dest: /etc/ld.so.conf.d/ + +- name: "update ld" + command: ldconfig diff --git a/roles/kernel-ml/files/dkms-2.7.1-1.el7.noarch.rpm b/roles/kernel-ml/files/dkms-2.7.1-1.el7.noarch.rpm new file mode 100644 index 0000000..e5a68ba Binary files /dev/null and b/roles/kernel-ml/files/dkms-2.7.1-1.el7.noarch.rpm differ diff --git a/roles/kernel-ml/files/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm b/roles/kernel-ml/files/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm new file mode 100644 index 0000000..b31fff6 Binary files /dev/null and b/roles/kernel-ml/files/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm differ diff --git a/roles/kernel-ml/files/grub b/roles/kernel-ml/files/grub new file mode 100644 index 0000000..0bb60ad --- /dev/null +++ b/roles/kernel-ml/files/grub @@ -0,0 +1,8 @@ +GRUB_TIMEOUT=5 +GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" +GRUB_DEFAULT=saved +GRUB_DISABLE_SUBMENU=true +GRUB_TERMINAL="serial console" +GRUB_SERIAL_COMMAND="serial --speed=115200" +GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,115200 intel_iommu=on iommu=pt pci=realloc,assign-busses" +GRUB_DISABLE_RECOVERY="true" diff --git a/roles/kernel-ml/files/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm b/roles/kernel-ml/files/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm new file mode 100644 index 0000000..6fefdec Binary files /dev/null and b/roles/kernel-ml/files/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm differ diff --git a/roles/kernel-ml/files/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm b/roles/kernel-ml/files/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm new file mode 100644 index 0000000..1dd97ca Binary files /dev/null and b/roles/kernel-ml/files/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm differ diff --git a/roles/kernel-ml/files/pkgconfig-0.27.1-4.el7.x86_64.rpm b/roles/kernel-ml/files/pkgconfig-0.27.1-4.el7.x86_64.rpm new file mode 100644 index 0000000..d37c601 Binary files /dev/null and b/roles/kernel-ml/files/pkgconfig-0.27.1-4.el7.x86_64.rpm differ diff --git a/roles/kernel-ml/files/zlib-devel-1.2.7-17.el7.x86_64.rpm b/roles/kernel-ml/files/zlib-devel-1.2.7-17.el7.x86_64.rpm new file mode 100644 index 0000000..fb29222 Binary files /dev/null and b/roles/kernel-ml/files/zlib-devel-1.2.7-17.el7.x86_64.rpm differ diff --git a/roles/kernel-ml/tasks/main.yml b/roles/kernel-ml/tasks/main.yml new file mode 100644 index 0000000..1f13b0f --- /dev/null +++ b/roles/kernel-ml/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: "copy framework rpms to destination server" + synchronize: + src: "{{ role_path }}/files/" + dest: "/tmp/ansible_deploy/" + +- name: "install kernels-ml" + yum: + name: + - /tmp/ansible_deploy/pkgconfig-0.27.1-4.el7.x86_64.rpm + - /tmp/ansible_deploy/zlib-devel-1.2.7-17.el7.x86_64.rpm + - /tmp/ansible_deploy/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm + - /tmp/ansible_deploy/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm + - /tmp/ansible_deploy/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm + - /tmp/ansible_deploy/dkms-2.7.1-1.el7.noarch.rpm + state: present + register: t_kernel_ml + +- name: "set kernel-ml as default kernel" + command: /usr/sbin/grub2-set-default 0 + when: t_kernel_ml.changed + +- name: "copy /etc/default/grub" + copy: + src: "{{ role_path }}/files/grub" + dest: "/etc/default" + when: + - tsg_access_type == 4 + - t_kernel_ml.changed + +- name: "BIOS:grub2-mkconfig" + shell: grub2-mkconfig -o /boot/grub2/grub.cfg + when: + - tsg_access_type == 4 + - t_kernel_ml.changed + +- name: "UEFI:grub2-mkconfig" + shell: grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg + when: + - tsg_access_type == 4 + - t_kernel_ml.changed + +- name: "reboot" + reboot: + when: t_kernel_ml.changed diff --git a/roles/mrzcpd/files/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm b/roles/mrzcpd/files/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm new file mode 100644 index 0000000..9d2dd37 Binary files /dev/null and b/roles/mrzcpd/files/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm differ diff --git a/roles/mrzcpd/tasks/main.yml b/roles/mrzcpd/tasks/main.yml new file mode 100644 index 0000000..0b3f708 --- /dev/null +++ b/roles/mrzcpd/tasks/main.yml @@ -0,0 +1,192 @@ +--- +- name: "copy mrzcpd to destination server" + synchronize: + src: "{{ role_path }}/files/" + dest: "/tmp/ansible_deploy/" + +- name: "install mrzcpd" + yum: + name: /tmp/ansible_deploy/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm + state: present + +- name: "update sysconfig/mrzcpd" + template: + src: "{{ role_path }}/templates/mrzcpd.j2" + dest: /etc/sysconfig/mrzcpd + +- name: "update mrglobal.conf - traffic_mirror" + template: + src: "{{ role_path }}/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: nic_traffic_mirror is defined + + +- name: "copy mrapp.sapp4.conf to destination server" + template: + src: "{{ role_path }}/templates/mrapp.sapp4.conf " + dest: /opt/mrzcpd/etc/mrapp.sapp4.conf + when: + - tsg_access_type == 4 + +- name: "update mrglobal.conf.adc_inline" + template: + src: "{{ role_path }}/templates/adc_inline/mrglobal.conf.adc_inline.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 1 + - tsg_running_type == 2 + +- name: "update mrglobal.conf.server_inline" + template: + src: "{{ role_path }}/templates/server_inline/mrglobal.conf.server_inline.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 1 + - tsg_running_type != 2 + +- name: "update mrglobal.conf.allot - mcn0" + template: + src: "{{ role_path }}/templates/allot_access/mrglobal.conf.allot_access.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 2 + +- name: "update mrglobal.conf.adc_tun_mode - mcn0" + template: + src: "{{ role_path }}/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 3 + + +- name: "update mrglobal.conf.ATCA_Vlan_Flipping" + template: + src: "{{ role_path }}/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 4 + +- name: "update mrglobal.conf.ATCA_VXLAN" + template: + src: "{{ role_path }}/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2" + dest: /opt/mrzcpd/etc/mrglobal.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 5 + +- name: "update mrtunnat.conf.adc_inline" + template: + src: "{{ role_path }}/templates/adc_inline/mrtunnat.conf.adc_inline.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 1 + - tsg_running_type == 2 + +- name: "update mrtunnat.conf.server_inline" + template: + src: "{{ role_path }}/templates/server_inline/mrtunnat.conf.server_inline.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 1 + - tsg_running_type != 2 + +- name: "update mrtunnat.conf.allot_access - mcn0" + template: + src: "{{ role_path }}/templates/allot_access/mrtunnat.conf.allot_access.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 2 + +- name: "update mrtunnat.conf.adc_tun_mode - mcn0" + template: + src: "{{ role_path }}/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 3 + +- name: "update mrtunnat.conf.ATCA_Vlan_Flipping" + template: + src: "{{ role_path }}/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 4 + +- name: "update mrtunnat.conf.ATCA_VXLAN" + template: + src: "{{ role_path }}/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2" + dest: /opt/mrzcpd/etc/mrtunnat.conf + when: + - nic_traffic_mirror is not defined + - tsg_access_type == 5 + +- name: "enable mrenv" + systemd: + name: mrenv + enabled: yes + daemon_reload: yes + when: + - tsg_access_type != 0 + +- name: "enable mrzcpd" + systemd: + name: mrzcpd + enabled: yes + daemon_reload: yes + when: + - tsg_access_type != 0 + +- name: "enable prometheus output - monit_device" + systemd: + name: mrapm_device + enabled: yes + daemon_reload: yes + +- name: "enable prometheus output - monit_stream" + systemd: + name: mrapm_stream + enabled: yes + daemon_reload: yes + +- name: "enable mrtunnat on master" + systemd: + name: mrtunnat + enabled: no + daemon_reload: yes + when: + - nic_traffic_mirror is not defined + - tsg_access_type != 0 + +- name: "disable mrtunnat on slave" + systemd: + name: mrtunnat + enabled: no + daemon_reload: yes + when: nic_traffic_mirror is defined + +- name: "mask mrzcpd on server_tun_mode" + systemd: + name: mrzcpd + enabled: no + masked: yes + daemon_reload: yes + when: + - tsg_access_type == 0 + +- name: "mask mrtunnat on server_tun_mode" + systemd: + name: mrtunnat + enabled: no + masked: yes + daemon_reload: yes + when: + - tsg_access_type == 0 diff --git a/roles/mrzcpd/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2 b/roles/mrzcpd/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2 new file mode 100644 index 0000000..f012661 --- /dev/null +++ b/roles/mrzcpd/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2 @@ -0,0 +1,57 @@ +[device] +device={{ATCA_data_incoming.vf0_name}},{{ ATCA_data_incoming.vf1_name }},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=32 + +[device:{{ATCA_data_incoming.vf0_name}}] +mtu=4096 +clear_tx_flags=1 +hw_strip_crc=1 +in_addr={{ ATCA_VXLAN.keepalive_ip }} +in_mask={{ ATCA_VXLAN.keepalive_mask }} +#rssmode=3 + +[device:{{ ATCA_data_incoming.vf1_name }}] +mtu=4096 +clear_tx_flags=1 +vlan-filter=1 +vlan-strip=1 +vlan-id-allow=4095 +vlan-pvid=0 +vlan-pvid-mode=2 +hw_strip_crc=1 +sz_tunnel=8192 +sz_buffer=0 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=1 +hashmode=0 +idle_threshold=10000 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=6 +forward_rule_0=pv,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}} +forward_rule_1=vp,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }} +forward_rule_5=vp,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }} diff --git a/roles/mrzcpd/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2 b/roles/mrzcpd/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2 new file mode 100644 index 0000000..ac710dd --- /dev/null +++ b/roles/mrzcpd/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2 @@ -0,0 +1,20 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{ATCA_data_incoming.vf0_name}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_link_info_table=1 +use_tuple4_as_sskey=0 +ctrlzone_addr_info_type=2 +idle_threshold=10000 + +[vlan_flipping] +enable=0 +c_router_vlan_id_0=1000 +i_router_vlan_id_0=1001 +en_mac_flipping_0=0 diff --git a/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2 b/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2 new file mode 100644 index 0000000..01e6543 --- /dev/null +++ b/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2 @@ -0,0 +1,60 @@ +[device] +device={{ATCA_data_incoming.vf0_name}},{{ ATCA_data_incoming.vf1_name }},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=32 + +[device:{{ATCA_data_incoming.vf0_name}}] +mtu=4096 +clear_tx_flags=1 +vlan-filter=1 +vlan-strip=1 +vlan-id-allow={{ ATCA_VlanFlipping.vlanID_1 }},{{ ATCA_VlanFlipping.vlanID_2 }},{{ ATCA_VlanFlipping.vlanID_3 }},{{ ATCA_VlanFlipping.vlanID_4 }} +vlan-pvid=0 +vlan-pvid-mode=2 +hw_strip_crc=1 +#rssmode=3 + +[device:{{ ATCA_data_incoming.vf1_name }}] +mtu=4096 +clear_tx_flags=1 +vlan-filter=1 +vlan-strip=1 +vlan-id-allow=4095 +vlan-pvid=0 +vlan-pvid-mode=2 +hw_strip_crc=1 +sz_tunnel=8192 +sz_buffer=0 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=1 +hashmode=0 +idle_threshold=10000 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=6 +forward_rule_0=pv,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}} +forward_rule_1=vp,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }} +forward_rule_5=vp,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }} diff --git a/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2 b/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2 new file mode 100644 index 0000000..95f1734 --- /dev/null +++ b/roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2 @@ -0,0 +1,23 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{ATCA_data_incoming.vf0_name}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_link_info_table=1 +use_tuple4_as_sskey=0 +ctrlzone_addr_info_type=2 +idle_threshold=10000 + +[vlan_flipping] +enable=1 +c_router_vlan_id_0={{ ATCA_VlanFlipping.vlanID_1 }} +i_router_vlan_id_0={{ ATCA_VlanFlipping.vlanID_2 }} +en_mac_flipping_0=0 +c_router_vlan_id_1={{ ATCA_VlanFlipping.vlanID_3 }} +i_router_vlan_id_1={{ ATCA_VlanFlipping.vlanID_4 }} +en_mac_flipping_1=0 diff --git a/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 b/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 new file mode 100644 index 0000000..a80a483 --- /dev/null +++ b/roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2 @@ -0,0 +1,67 @@ +[device] +device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=0 + +[device:{{nic_data_incoming.name}}] +in_addr={{inline_device_config.keepalive_ip}} +in_mask={{inline_device_config.keepalive_mask}} +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +vlan-filter=1 +vlan-id-allow=1000,1001,4000,4001 + +[device:{{nic_to_tfe.tfe0.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:{{nic_to_tfe.tfe1.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:{{nic_to_tfe.tfe2.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mcn0_mrzcpd.iocore }} +distmode=2 +hashmode=0 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=10 +forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}} +forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}} +forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}} +forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}} +forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}} +forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}} +forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}} diff --git a/roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2 b/roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2 new file mode 100644 index 0000000..6c8f5be --- /dev/null +++ b/roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2 @@ -0,0 +1,21 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{nic_data_incoming.name}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_tuple4_as_sskey=1 +ctrlzone_addr_info_type=2 + +[vlan_flipping] +enable=1 +c_router_vlan_id_0=1000 +i_router_vlan_id_0=1001 +en_mac_flipping_0=0 +c_router_vlan_id_1=4000 +i_router_vlan_id_1=4001 +en_mac_flipping_1=0 diff --git a/roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2 b/roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2 new file mode 100644 index 0000000..032a1c4 --- /dev/null +++ b/roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2 @@ -0,0 +1,68 @@ +[device] +device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=0 + +[device:{{nic_data_incoming.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +vlan-filter=1 +vlan-id-allow=1000,1001,2000,2001,4000,4001 +vlan-pvid=0 +vlan-pvid-mode=2 +promisc=1 + +[device:{{nic_to_tfe.tfe0.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:{{nic_to_tfe.tfe1.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:{{nic_to_tfe.tfe2.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=2 +hashmode=0 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=10 +forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}} +forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}} +forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}} +forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}} +forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}} +forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}} +forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}} diff --git a/roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2 b/roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2 new file mode 100644 index 0000000..19971c6 --- /dev/null +++ b/roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2 @@ -0,0 +1,24 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{nic_data_incoming.name}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_tuple4_as_sskey=1 +ctrlzone_addr_info_type=2 + +[vlan_flipping] +enable=1 +c_router_vlan_id_0=1000 +i_router_vlan_id_0=1001 +en_mac_flipping_0=0 +c_router_vlan_id_1=2000 +i_router_vlan_id_1=2001 +en_mac_flipping_1=0 +c_router_vlan_id_2=4000 +i_router_vlan_id_2=4001 +en_mac_flipping_2=0 diff --git a/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 b/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 new file mode 100644 index 0000000..245aecc --- /dev/null +++ b/roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2 @@ -0,0 +1,69 @@ +[device] +device=ens1f4,ens1f5,ens1f6,ens1f7,vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=0 + +[device:ens1f4] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +vlan-filter=1 +vlan-id-allow={{ AllotAccess.virturlID_1 }},{{ AllotAccess.virturlID_2 }},{{ AllotAccess.virturlID_3 }},{{ AllotAccess.virturlID_4 }},4000,4001 +vlan-pvid=0 +vlan-pvid-mode=2 +promisc=1 + +[device:ens1f5] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:ens1f6] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[device:ens1f7] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mcn0_mrzcpd.iocore }} +distmode=2 +hashmode=0 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=10 +forward_rule_0=pv,ens1f4,ens1f4 +forward_rule_1=vp,ens1f4,ens1f4 +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd +forward_rule_4=pv,ens1f5,ens1f5 +forward_rule_5=vp,ens1f5,ens1f5 +forward_rule_6=pv,ens1f6,ens1f6 +forward_rule_7=vp,ens1f6,ens1f6 +forward_rule_8=pv,ens1f7,ens1f7 +forward_rule_9=vp,ens1f7,ens1f7 + diff --git a/roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2 b/roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2 new file mode 100644 index 0000000..a0841d6 --- /dev/null +++ b/roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2 @@ -0,0 +1,25 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev=ens1f4 +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_tuple4_as_sskey=1 +ctrlzone_addr_info_type=2 + +[vlan_flipping] +enable=1 +c_router_vlan_id_0={{ AllotAccess.virturlID_1 }} +i_router_vlan_id_0={{ AllotAccess.virturlID_2 }} +en_mac_flipping_0=1 +c_router_vlan_id_1={{ AllotAccess.virturlID_3 }} +i_router_vlan_id_1={{ AllotAccess.virturlID_4 }} +en_mac_flipping_1=1 +c_router_vlan_id_2=4000 +i_router_vlan_id_2=4001 +en_mac_flipping_2=0 + diff --git a/roles/mrzcpd/templates/mrapp.sapp4.conf b/roles/mrzcpd/templates/mrapp.sapp4.conf new file mode 100644 index 0000000..6f6c944 --- /dev/null +++ b/roles/mrzcpd/templates/mrapp.sapp4.conf @@ -0,0 +1,2 @@ +[bpfdump:vxlan_user] +enable=1 diff --git a/roles/mrzcpd/templates/mrzcpd.j2 b/roles/mrzcpd/templates/mrzcpd.j2 new file mode 100644 index 0000000..192a400 --- /dev/null +++ b/roles/mrzcpd/templates/mrzcpd.j2 @@ -0,0 +1,3 @@ +MRZCPD_ROOT=/opt/mrzcpd +HUGEPAGE_NUM_2M=16384 +DEFAULT_UIO_MODULE="igb_uio" \ No newline at end of file diff --git a/roles/mrzcpd/templates/server_inline/mrglobal.conf.server_inline.j2 b/roles/mrzcpd/templates/server_inline/mrglobal.conf.server_inline.j2 new file mode 100644 index 0000000..b5cef2d --- /dev/null +++ b/roles/mrzcpd/templates/server_inline/mrglobal.conf.server_inline.j2 @@ -0,0 +1,47 @@ +[device] +device={{inline_device_config.data_incoming}},vxlan_user,vxlan_fwd +sz_tunnel=8192 +sz_buffer=0 + +[device:{{inline_device_config.data_incoming}}] +in_addr={{inline_device_config.keepalive_ip}} +in_mask={{inline_device_config.keepalive_mask}} +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 + +#[device:] +#jumbo_frame=1 +#max_rx_pkt_len=15360 +#clear_tx_flags=1 +#promisc=1 + +[service] +# lcore id for i/o service, use comma to split +iocore={{ mrzcpd.iocore }} +distmode=2 +hashmode=0 + +[eal] +virtaddr=0x7f40c4a00000 +loglevel=7 + +[keepalive] +check_spinlock=0 + +[ctrlzone] +ctrlzone0=tunnat,64 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 + +[forward] +nr_forward_rule=4 +forward_rule_0=pv,{{inline_device_config.data_incoming}},{{inline_device_config.data_incoming}} +forward_rule_1=vp,{{inline_device_config.data_incoming}},{{inline_device_config.data_incoming}} +forward_rule_2=vv,vxlan_fwd,vxlan_user +forward_rule_3=vv,vxlan_user,vxlan_fwd diff --git a/roles/mrzcpd/templates/server_inline/mrtunnat.conf.server_inline.j2 b/roles/mrzcpd/templates/server_inline/mrtunnat.conf.server_inline.j2 new file mode 100644 index 0000000..7f09bae --- /dev/null +++ b/roles/mrzcpd/templates/server_inline/mrtunnat.conf.server_inline.j2 @@ -0,0 +1,18 @@ +[tunnat] +lcore_id={{ mrtunnat.lcore_id }} +appsym=tunnat +phydev={{inline_device_config.data_incoming}} +virtdev=vxlan_fwd +nr_max_sessions=524280 +nr_slots=1048576 +expire_time=60 +reverse_tunnel=0 +use_recent_tunnel=0 +use_tuple4_as_sskey=1 +ctrlzone_addr_info_type=2 + +[vlan_flipping] +enable=0 +c_router_vlan_id_0=1000 +i_router_vlan_id_0=1001 +en_mac_flipping_0=0 diff --git a/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 b/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 new file mode 100644 index 0000000..00e70ab --- /dev/null +++ b/roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2 @@ -0,0 +1,27 @@ +[device] +device={{nic_traffic_mirror.name}} +sz_tunnel=8192 +sz_buffer=0 + +[device:{{nic_traffic_mirror.name}}] +jumbo_frame=1 +max_rx_pkt_len=15360 +clear_tx_flags=1 +promisc=1 + +[service] +iocore={{ mcn123_mrzcpd.iocore }} + +[eal] +virtaddr=0x7d0000000000 +loglevel=7 + +[keepalive] +check_spinlock=1 + +[pool] +create_mode=3 +sz_direct_pktmbuf=4194304 +sz_indirect_pktmbuf=8192 +sz_cache=256 +sz_data=4096 diff --git a/roles/sapp/files/maat_redis_tool b/roles/sapp/files/maat_redis_tool new file mode 100644 index 0000000..9e797bb Binary files /dev/null and b/roles/sapp/files/maat_redis_tool differ diff --git a/roles/sapp/files/memory.conf b/roles/sapp/files/memory.conf new file mode 100644 index 0000000..c0255fc --- /dev/null +++ b/roles/sapp/files/memory.conf @@ -0,0 +1,3 @@ +[Service] +MemoryLimit=80G +ExecStartPost=/bin/bash -c "echo 80G > /sys/fs/cgroup/memory/system.slice/sapp.service/memory.memsw.limit_in_bytes" diff --git a/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm b/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm new file mode 100644 index 0000000..ca045ab Binary files /dev/null and b/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm differ diff --git a/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm b/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm new file mode 100644 index 0000000..c5cb8cf Binary files /dev/null and b/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm differ diff --git a/roles/sapp/files/tera_fake_promisc_setup.conf b/roles/sapp/files/tera_fake_promisc_setup.conf new file mode 100644 index 0000000..f505012 --- /dev/null +++ b/roles/sapp/files/tera_fake_promisc_setup.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=/bin/bash tera_fake_promisc_setup.sh diff --git a/roles/sapp/files/tera_fake_promisc_setup.sh b/roles/sapp/files/tera_fake_promisc_setup.sh new file mode 100644 index 0000000..4e8665a --- /dev/null +++ b/roles/sapp/files/tera_fake_promisc_setup.sh @@ -0,0 +1,4 @@ +set -ex +dp_adapter_ether_addr=$(ifconfig ens1f2 | grep ether | awk '{print $2}') +bpf_rule="ether dst $dp_adapter_ether_addr or ether dst 02:42:c0:a8:fd:03 or ether dst 02:42:c0:a8:fd:83 or ether dst 02:42:c0:a8:fd:82" +sed -i "/BSD_packet_filter=/s/=.*/=\"$bpf_rule\"/" etc/sapp.toml diff --git a/roles/sapp/tasks/main.yml b/roles/sapp/tasks/main.yml new file mode 100644 index 0000000..3b7dd38 --- /dev/null +++ b/roles/sapp/tasks/main.yml @@ -0,0 +1,104 @@ +--- +- name: "copy sapp to destination server" + copy: + src: "{{ role_path }}/files/" + dest: /tmp/ansible_deploy/ + +- name: "copy maat_redis_tool to destination server" + copy: + src: "{{ role_path }}/files/maat_redis_tool" + dest: /usr/local/bin + mode: 0755 + +- name: "install sapp rpms from localhost" + yum: + name: + - /tmp/ansible_deploy/sapp-4.2.25.893d15d-2.el7.x86_64.rpm + state: present + +- name: "install tcpdump_mesa rpms from localhost" + yum: + name: + - /tmp/ansible_deploy/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm + state: present + skip_broken: yes + +- name: "mkdir tsgconf" + file: + path: /home/mesasoft/sapp_run/tsgconf + state: directory + +- name: Template the sapp.toml + template: + src: "{{ role_path }}/templates/sapp.toml.j2" + dest: /home/mesasoft/sapp_run/etc/sapp.toml + tags: template + +- name: Template the project_list.conf + template: + src: "{{ role_path }}/templates/project_list.conf.j2" + dest: /home/mesasoft/sapp_run/etc/project_list.conf + tags: template + +- name: Template the conflist.inf + template: + src: "{{ role_path }}/templates/conflist.inf.j2" + dest: /home/mesasoft/sapp_run/plug/conflist.inf + tags: template + +- name: Template the sapp_log.conf + template: + src: "{{ role_path }}/templates/sapp_log.conf.j2" + dest: /home/mesasoft/sapp_run/etc/sapp_log.conf + tags: template + +- name: Template the sapp_tmpfile.conf + template: + src: "{{ role_path }}/templates/sapp_tmpfile.conf.j2" + dest: /etc/tmpfiles.d/sapp_tmpfile.conf + tags: template + +- name: Template the gdev.conf + template: + src: "{{ role_path }}/templates/gdev.conf.j2" + dest: /home/mesasoft/sapp_run/etc/gdev.conf + when: tsg_access_type == 1 + +- name: Template the vlan_flipping_map.conf + template: + src: "{{ role_path }}/templates/vlan_flipping_map.conf.j2" + dest: /home/mesasoft/sapp_run/etc/vlan_flipping_map.conf + when: tsg_access_type == 2 + + +- name: "Template sapp.service destination server" + template: + src: "{{ role_path }}/templates/sapp.service.j2" + dest: /usr/lib/systemd/system/sapp.service + mode: 0755 + +- name: "copy memory limit file to sapp.service.d" + copy: + src: "{{ role_path }}/files/memory.conf" + dest: /etc/systemd/system/sapp.service.d/ + mode: 0644 + +- name: "copy fake promisc tools for tera mode - service file" + copy: + src: "{{ role_path }}/files/tera_fake_promisc_setup.conf" + dest: /etc/systemd/system/sapp.service.d/ + mode: 0644 + when: tsg_access_type == 2 + +- name: "copy fake promisc tools for tera mode - scripts" + copy: + src: "{{ role_path }}/files/tera_fake_promisc_setup.sh" + dest: /home/mesasoft/sapp_run/tera_fake_promisc_setup.sh + mode: 0755 + when: tsg_access_type == 2 + +- name: "enable sapp" + systemd: + name: sapp + enabled: yes + daemon_reload: yes diff --git a/roles/sapp/templates/conflist.inf.j2 b/roles/sapp/templates/conflist.inf.j2 new file mode 100644 index 0000000..dd5f99c --- /dev/null +++ b/roles/sapp/templates/conflist.inf.j2 @@ -0,0 +1,12 @@ +[platform] + +[protocol] +./plug/protocol/ssl/ssl.inf +./plug/protocol/http/http.inf +./plug/protocol/dns/dns.inf +./plug/protocol/mail/mail.inf +./plug/protocol/ftp/ftp.inf +./plug/protocol/quic/quic.inf +./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf + +[business] diff --git a/roles/sapp/templates/gdev.conf.j2 b/roles/sapp/templates/gdev.conf.j2 new file mode 100644 index 0000000..0ce756a --- /dev/null +++ b/roles/sapp/templates/gdev.conf.j2 @@ -0,0 +1,11 @@ +[Module] +{% if tsg_running_type == 2 %} +pcapdevice={{ nic_data_incoming.name }} +sendto_gdev_card={{ nic_data_incoming.name }} +sendto_gdev_ip={{ inline_device_config.keepalive_ip }} +{% else %} +pcapdevice={{ inline_device_config.data_incoming }} +sendto_gdev_card={{ inline_device_config.data_incoming }} +sendto_gdev_ip={{ inline_device_config.keepalive_ip }} +{% endif %} +gdev_status_switch=1 diff --git a/roles/sapp/templates/project_list.conf.j2 b/roles/sapp/templates/project_list.conf.j2 new file mode 100644 index 0000000..ce5e9a3 --- /dev/null +++ b/roles/sapp/templates/project_list.conf.j2 @@ -0,0 +1,20 @@ +tcp_flow_stat struct +udp_flow_stat struct +tcp_deduce_flow_stat struct +POLICY_PRIORITY struct +ESTABLISH_LATENCY long +MAIL_IDENTIFY int +TSG_MASTER_INTERNAL_LABEL struct +APP_ID_LABEL struct +BASIC_PROTO_LABEL struct +USER_DEFINED_ATTRIBUTE struct +SKETCH_TRANS_LAYER_CTX_LABEL struct +SKETCH_PROTO_CTX_LABEL struct +common_link_info_c2s struct +common_link_info_s2c struct +common_link_info struct +JA3_FINGERPRINT_LABEL struct +DKPT_PRO_V2 struct +DPKT_PROJECT_V2 struct +PPROJECT_PRO_V2 struct +DPKT_BHSTAT_PROJECT struct diff --git a/roles/sapp/templates/sapp.service.j2 b/roles/sapp/templates/sapp.service.j2 new file mode 100644 index 0000000..fc91415 --- /dev/null +++ b/roles/sapp/templates/sapp.service.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=sapp service +{% if tsg_running_type != 0 %} +Requires=mrzcpd.service +After=mrzcpd.service +{% endif %} +[Service] +Type=notify +WorkingDirectory=/home/mesasoft/sapp_run +ExecStart=/home/mesasoft/sapp_run/sapp +TimeoutSec=900s +RestartSec=10s +Restart=always +LimitNOFILE=524288 +LimitNPROC=infinity +LimitCORE=0 +TasksMax=infinity +Delegate=yes +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/roles/sapp/templates/sapp.toml.j2 b/roles/sapp/templates/sapp.toml.j2 new file mode 100644 index 0000000..2fc5896 --- /dev/null +++ b/roles/sapp/templates/sapp.toml.j2 @@ -0,0 +1,225 @@ +################################################################################################### +# NOTE: +# The format of this file is toml (https://github.com/cktan/tomlc99) +# to make vim editor display colorful and human readable, +# you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini +################################################################################################### + +[SYSTEM] +instance_name = "sapp4" + +[CPU] +{% if tsg_access_type == 0 %} +worker_threads=1 +{% else %} +worker_threads={{ sapp.worker_threads }} +{% endif %} +send_only_threads_max={{ sapp.send_only_threads_max }} +### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as [] +{% if tsg_access_type == 0 %} +bind_mask=[] +{% else %} +bind_mask=[{{ sapp.bind_mask }}] +{% endif %} + +[MEM] +dictator_enable=0 + +[PACKET_IO] + + [overlay_tunnel_definition] +### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat, +### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat. + l2_l3_tunnel_support=1 + +### note, optional value is [none, vxlan] + overlay_mode=none + stream_compare_layer_cfg_file="etc/stream_compare_layer.conf" + vlan_flipping_cfg_file="etc/vlan_flipping_map.conf" + asymmetric_presence_layer_cfg_file="etc/asymmetric_presence_layer.conf" + asymmetric_addr_layer_cfg_file="etc/asymmetric_addr_layer.conf" + prune_inject_layer_cfg_file="etc/prune_inject_layer.conf" + + [packet_io.feature] + + {% if tsg_access_type == 4 %} + ### note, used to represent inbound or outbound direction value, + ### because it comes from Third party device, so it needs to be specified manually, + ### if inbound_route_dir=1, then outbound_route_dir=0, vice versa, + ### in other words, outbound_route_dir = 1 ^ inbound_route_dir; + inbound_route_dir={{ sapp.inbound_route_dir }} + {% endif %} + +### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as "" + BSD_packet_filter="" + +### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in" + pcap_capture_direction="in" + + +### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway] +### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode; +### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket. +### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain. +### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain. + inject_pkt_mode=sys_route + +### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port. + inject_mode_inline_device_sport=54789 + +### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway. + inject_mode_single_gateway_device="eth1" +### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device + inject_mode_single_gateway_src_mac="00:11:22:77:88:99" + inject_mode_single_gateway_dst_mac="00:11:22:33:44:55" + dumpfile_sleep_time_before_exit=3 + +### note, depolyment.mode options: [mirror, inline, transparent] + [packet_io.depolyment] + {% if tsg_access_type == 0 %} + mode=transparent + {% else %} + mode=inline + {% endif %} + +### note, interface.type options: [pag,pcap,marsio] + [packet_io.internal.interface] + {% if tsg_access_type == 0 %} + type=pcap + name={{packet_io.internal_interface}} + {% else %} + type=marsio + name={{nic_data_incoming.name}} + {% endif %} + + [packet_io.external.interface] + {% if tsg_access_type == 0 %} + type=pcap + name={{packet_io.external_interface}} + {% else %} + type=pcap + name=lo + {% endif %} + + [packet_io.polling] +### note, polling_priority = call sapp_recv_pkt every call polling_entry times, + polling_priority=1 + +[PROTOCOL_FEATURE] + ipv6_decapsulation_enabled=1 + ipv6_send_packet_enabled=1 + tcp_drop_pure_ack_pkt=0 + tcp_syn_option_parse_enabled=1 + skip_not_ip_layer_over_eth=0 + treat_vlan_as_mac_in_mac=0 + reverse_ethernet_addr=1 + + +[STREAM] +### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" + stream_id_base_time="2018-08-08 08:00:00" + [stream.tcp] + max=100000 + timeout=30 + syn_mandatory=1 + reorder_pkt_max=128 + analyse_option_enabled=1 + tuple4_reuse_time_interval=30 + + meaningful_statistics_minimum_pkt=3 + meaningful_statistics_minimum_byte=5 + + [stream.tcp.inject] + link_mss=1460 + + [stream.tcp.inject.rst] + auto_remedy=0 + number=3 + signature_enabled=1 + signature_seed1=65535 + signature_seed2=13 + remedy_kill_tcp_by_inline_device=0 + + [stream.udp] + max=100000 + timeout=60 + meaningful_statistics_minimum_pkt=3 + meaningful_statistics_minimum_byte=5 + + +[PROFILING] + [profiling.pkt_latency] + enabled=0 +### note, threshold unit is microseconds (us) + threshold=1000000 + + [profiling.sanity_check] + raw_pkt_broken_enabled=0 + symbol_conflict_enabled=0 + + [profiling.log] + level=10 + interval=5 + + [profiling.log.local] + enabled=1 +### note, if "file_truncate_open_enabled=1", file will be truncated, otherwise open the file for appending. + file_truncate_enabled = 1 + log_file_name = "fs2_sysinfo.log" + log_conf_name = "etc/sapp_log.conf" + [profiling.log.remote] + enabled=1 + server_ip=127.0.0.1 + server_port=8100 + + [profiling.log.remote.field_stat2] +### note, is valid when "remote_send_out_type=field_stat2" +### note, metric_type option value: [default, json] + metric_type = default + app_name=sapp + + [profiling.log.prometheus] + prometheus_enabled={{ sapp_prometheus_enable }} + prometheus_port={{ sapp_prometheus_port }} + prometheus_url_path="{{ sapp_prometheus_url_path }}" + +[TOOLS] + [tools.pkt_dump] + enabled=1 +### note, mode options value:[storage, udp_socket] + mode=udp_socket + BSD_packet_filter="" + + [tools.pkt_dump.threads] +### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted. +### if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index. + all_threads_enabled=1 + +### note, dump_thread_id start from 0, max is CPU.worker_threads-1 + dump_thread_id=[0,1,2,3,4] + + [tools.pkt_dump.udp] + command_port=9345 + + [tools.pkt_dump.storage] +### note, file path must be double quotation mark extension, for example, path="/dev/shm/pkt_dump" + path="/dev/shm/pkt_dump" +### note, file size unit: MB + file_size_max_per_thread=10000 + +### note: +### These configurations format is complex and difficult to describe with toml grammar, +### so, create a Independent config file to description specific information. +[SPECIAL_CONFIG_LINK] + project_list_path="./etc/project_list.conf" + plugin_path="./etc/plugin.conf" + entrylist_path="./etc/entrylist.conf" + send_raw_pkt_path="./etc/send_raw_pkt.conf" + vxlan_sport_service_map_path="./etc/vxlan_sport_service_map.conf" + +[breakpad] + disable_coredump=1 + enable_breakpad=1 + breakpad_minidump_dir="/tmp/crashreport" + enable_breakpad_upload=1 + breakpad_upload_url="{{ breakpad_upload_url }}" diff --git a/roles/sapp/templates/sapp_log.conf.j2 b/roles/sapp/templates/sapp_log.conf.j2 new file mode 100644 index 0000000..8ec2230 --- /dev/null +++ b/roles/sapp/templates/sapp_log.conf.j2 @@ -0,0 +1,14 @@ +[global] +default format = "%d(%c), %V, %U, %m%n" +[levels] +DEBUG=10 +INFO=20 +FATAL=30 +[formats] +other = "%d(%c), %V, %F, %U, %m%n" +plugin = "%d(%c), %m%n" +[rules] +__log_runtimelog.info "./log/runtimelog.%d(%F)" +__log_runtimelog_plugin.fatal >stdout; plugin +__log_runtimelog_plugin.info "./log/plugin.log"; plugin +!.fatal "./log/%c.%d(%F)"; other diff --git a/roles/sapp/templates/sapp_tmpfile.conf.j2 b/roles/sapp/templates/sapp_tmpfile.conf.j2 new file mode 100644 index 0000000..485725b --- /dev/null +++ b/roles/sapp/templates/sapp_tmpfile.conf.j2 @@ -0,0 +1 @@ +d /home/mesasoft/sapp_run/log 0755 - - 2d - diff --git a/roles/sapp/templates/vlan_flipping_map.conf.j2 b/roles/sapp/templates/vlan_flipping_map.conf.j2 new file mode 100644 index 0000000..599e8f8 --- /dev/null +++ b/roles/sapp/templates/vlan_flipping_map.conf.j2 @@ -0,0 +1,11 @@ +#for inline a device vlan flipping +#数据包来自C路由器端, 即C2I(I2E)方向, +#数据包来自I路由器端, 即I2C(E2I)方向, +#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计, +#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了. +#配置文件格式, pattern: +#来自C路由器vlan_id 来自I路由器vlan_id 是否开启mac地址翻转 +#C_router_vlan_id I_router_vlan_id mac_flipping_enable +1301 1302 1 +1201 1202 1 +4000 4001 0 diff --git a/server_deploy.yml b/server_deploy.yml new file mode 100644 index 0000000..548630b --- /dev/null +++ b/server_deploy.yml @@ -0,0 +1,10 @@ +- hosts: server_as_tun_mode + remote_user: root + vars_files: + - install_config/group_vars/server_as_tun_mode.yml + roles: + - {role: framework, tags: framework} + - {role: kernel-ml, tags: kernel-ml} + - {role: mrzcpd, tags: mrzcpd} + - {role: sapp, tags: sapp} + - {role: firewall, tags: firewall}