Merge branch 'tsg-version20.11.rc1-deploy-firewall' of https://git.mesalab.cn/tsg/tsg-scripts into tsg-version20.11.rc1-deploy-firewall

# Conflicts: # roles/firewall/tasks/main.yml
author: liuxueli <[email protected]> 2020-10-16 09:55:34 +0800
committer: liuxueli <[email protected]> 2020-10-16 09:55:34 +0800
commit: 27f242ec8f662ebcaa2548da62dc32e0c82697e9 (patch)
tree: 41f515a371f1d3eb2d3d2c34725dfbaefc53dc19
parent: b2c9836677a436c5afd90b42ff52f754bc2f0d98 (diff)
parent: 44885b6f02866c96e947ba409af4e12d758b8945 (diff)
21 files changed, 112 insertions, 54 deletions
diff --git a/install_config/group_vars/adc_global.yml b/install_config/group_vars/adc_global.yml
index 711e6bf..01f3eab 100644
--- a/install_config/group_vars/adc_global.yml
+++ b/install_config/group_vars/adc_global.yml
@@ -46,10 +46,13 @@ capture_packet_log_level: 10
 tsg_log_level: 10
 tsg_master_log_level: 10
 kni_log_level: 10
-tfe_log_level: 10
-tfe_http_log_level: 10
-pangu_log_level: 10
-doh_log_level: 10
+
+#日志等级 DEBUG INFO FATAL
+tfe_log_level: DEBUG
+tfe_http_log_level: DEBUG
+pangu_log_level: DEBUG
+doh_log_level: DEBUG
+
 certstore_log_level: 10
 clotho_log_level: 10
 
diff --git a/install_config/group_vars/server_as_tun_mode.yml b/install_config/group_vars/server_as_tun_mode.yml
index ca244c3..f3a8d54 100644
--- a/install_config/group_vars/server_as_tun_mode.yml
+++ b/install_config/group_vars/server_as_tun_mode.yml
@@ -51,10 +51,14 @@ capture_packet_log_level: 10
 tsg_log_level: 10
 tsg_master_log_level: 10
 kni_log_level: 10
-tfe_log_level: 10
-tfe_http_log_level: 10
-pangu_log_level: 10
-doh_log_level: 10
+
+
+#日志等级 DEBUG INFO FATAL
+tfe_log_level: DEBUG
+tfe_http_log_level: DEBUG
+pangu_log_level: DEBUG
+doh_log_level: DEBUG
+
 certstore_log_level: 10
 clotho_log_level: 10
 
diff --git a/roles/app_global/files/app-sketch-global-1.0.2.20200918.ab44d17-1.el7.x86_64.rpm b/roles/app_global/files/app-sketch-global-1.0.2.20200918.ab44d17-1.el7.x86_64.rpm
new file mode 100644
index 0000000..be99755
--- /dev/null
+++ b/roles/app_global/files/app-sketch-global-1.0.2.20200918.ab44d17-1.el7.x86_64.rpm
diff --git a/roles/app_global/files/app-sketch-global-1.0.2.20200918.c702d02-1.el7.x86_64.rpm b/roles/app_global/files/app-sketch-global-1.0.2.20200918.c702d02-1.el7.x86_64.rpm
deleted file mode 100755
index eaf7714..0000000
--- a/roles/app_global/files/app-sketch-global-1.0.2.20200918.c702d02-1.el7.x86_64.rpm
+++ /dev/null
diff --git a/roles/app_global/tasks/main.yml b/roles/app_global/tasks/main.yml
index 484c740..bf9c908 100644
--- a/roles/app_global/tasks/main.yml
+++ b/roles/app_global/tasks/main.yml
@@ -7,7 +7,7 @@
   yum:
     name:
       - /tmp/ansible_deploy/emqx-centos7-v4.1.2.x86_64.rpm
-      - /tmp/ansible_deploy/app-sketch-global-1.0.2.20200918.c702d02-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app-sketch-global-1.0.2.20200918.ab44d17-1.el7.x86_64.rpm
     state: present
 
 - name: "template the app_sketch_global.conf"
@@ -15,6 +15,11 @@
     src: "{{ role_path }}/templates/app_sketch_global.conf.j2"
     dest: /opt/tsg/app-sketch-global/conf/app_sketch_global.conf
 
+- name: "template the zlog.conf"
+  template:
+    src: "{{ role_path }}/templates/zlog.conf.j2"
+    dest: /opt/tsg/app-sketch-global/conf/zlog.conf
+
 - name: "Start emqx"
   systemd:
     name: emqx.service
diff --git a/roles/app_global/templates/app_sketch_global.conf.j2 b/roles/app_global/templates/app_sketch_global.conf.j2
index 7e64847..cff2463 100644
--- a/roles/app_global/templates/app_sketch_global.conf.j2
+++ b/roles/app_global/templates/app_sketch_global.conf.j2
@@ -1,9 +1,14 @@
 [SYSTEM]
 #1:print on screen, 0:don't
 DEBUG_SWITCH = 1
-#10:DEBUG, 20:INFO, 30:FATAL
-RUN_LOG_LEVEL = {{ app_sketch_global_log_level }}
-RUN_LOG_PATH = ./logs
+RUN_LOG_PATH = "conf/zlog.conf"
+
+[breakpad]
+disable_coredump=0
+enable_breakpad=1
+breakpad_minidump_dir=/tmp/app-sketch-global/crashreport
+enable_breakpad_upload=0
+breakpad_upload_url=http://127.0.0.1/
 
 [CONFIG]
 #Number of running threads
diff --git a/roles/app_global/templates/zlog.conf.j2 b/roles/app_global/templates/zlog.conf.j2
new file mode 100644
index 0000000..0ff890d
--- /dev/null
+++ b/roles/app_global/templates/zlog.conf.j2
@@ -0,0 +1,12 @@
+[global]
+default format = "%d(%c), %V, %F, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[rules]
+*.fatal        "./logs/error.log.%d(%F)";
+*.{{ app_sketch_global_log_level }}		"./logs/app_sketch_global.log.%d(%F)"
+
+
+
diff --git a/roles/certstore/files/certstore-2.1.2.202009.87fcacf-1.el7.x86_64.rpm b/roles/certstore/files/certstore-2.1.2.202009.87fcacf-1.el7.x86_64.rpm
deleted file mode 100644
index efc9c2d..0000000
--- a/roles/certstore/files/certstore-2.1.2.202009.87fcacf-1.el7.x86_64.rpm
+++ /dev/null
diff --git a/roles/certstore/files/certstore-2.1.2.20200923.a36312c-1.el7.x86_64.rpm b/roles/certstore/files/certstore-2.1.2.20200923.a36312c-1.el7.x86_64.rpm
new file mode 100644
index 0000000..3514d39
--- /dev/null
+++ b/roles/certstore/files/certstore-2.1.2.20200923.a36312c-1.el7.x86_64.rpm
diff --git a/roles/certstore/tasks/main.yml b/roles/certstore/tasks/main.yml
index 2f444ee..c15e9ea 100644
--- a/roles/certstore/tasks/main.yml
+++ b/roles/certstore/tasks/main.yml
@@ -10,7 +10,7 @@
 - name: install certstore
   yum:
     name:
-      - /tmp/ansible_deploy/certstore-2.1.2.202009.87fcacf-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/certstore-2.1.2.20200923.a36312c-1.el7.x86_64.rpm
     state: present
 
 - name: template certstore configure file
@@ -18,6 +18,11 @@
     src: "{{ role_path }}/templates/cert_store.ini.j2"
     dest: /opt/tsg/certstore/conf/cert_store.ini
 
+- name: template certstore zlog file
+  template:
+    src: "{{ role_path }}/templates/zlog.conf.j2"
+    dest: /opt/tsg/certstore/conf/zlog.conf
+
 - name: "start certstore"
   systemd:
     name: certstore.service
diff --git a/roles/certstore/templates/cert_store.ini.j2 b/roles/certstore/templates/cert_store.ini.j2
index 0067391..1c5a3c9 100644
--- a/roles/certstore/templates/cert_store.ini.j2
+++ b/roles/certstore/templates/cert_store.ini.j2
@@ -1,9 +1,15 @@
 [SYSTEM]
 #1:print on screen, 0:don't
 DEBUG_SWITCH = 1
-#10:DEBUG, 20:INFO, 30:FATAL
-RUN_LOG_LEVEL = {{ certstore_log_level }}
-RUN_LOG_PATH = ./logs
+RUN_LOG_PATH = "conf/zlog.conf"
+
+[breakpad]
+disable_coredump=0
+enable_breakpad=1
+breakpad_minidump_dir=/tmp/certstore/crashreport
+enable_breakpad_upload=0
+breakpad_upload_url=http://127.0.0.1/
+
 [CONFIG]
 #Number of running threads
 thread-nu = 4
@@ -14,7 +20,8 @@ expire_after = 30
 #Local default root certificate path
 local_debug = 1
 ca_path = ./cert/tango-ca-v3-trust-ca.pem
-untrusted_ca_path = ./cert/mesalab-ca-untrust.pem
+untrusted_ca_path = ./cert/tango-ca-v3-untrust-ca.pem
+
 [MAAT]
 #Configure the load mode,
 #0: using the configuration distribution network
@@ -31,18 +38,21 @@ inc_cfg_dir=./rule/inc/index
 full_cfg_dir=./rule/full/index
 #Json file path when json schema is used
 pxy_obj_keyring=./conf/pxy_obj_keyring.json
+
 [LIBEVENT]
 #Local monitor port number, default is 9991
 port = 9991
+
 [CERTSTORE_REDIS]
 #The Redis server IP address and port number where the certificate is stored locally
 ip = 127.0.0.1
 port = 6379
+
 [MAAT_REDIS]
 #Maat monitors the Redsi server IP address and port number
 ip = {{ maat_redis_server.address }}
 port = {{ maat_redis_server.port }}
 dbindex =  {{ maat_redis_server.db }}
 [stat]
-statsd_server=192.168.100.1
-statsd_port=8126
+statsd_server=127.0.0.1
+statsd_port=58100
diff --git a/roles/certstore/templates/zlog.conf.j2 b/roles/certstore/templates/zlog.conf.j2
new file mode 100644
index 0000000..02f5f96
--- /dev/null
+++ b/roles/certstore/templates/zlog.conf.j2
@@ -0,0 +1,10 @@
+[global]
+default format = "%d(%c), %V, %F, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[rules]
+*.fatal        "./logs/error.log.%d(%F)";
+*.{{ certstore_log_level }}        "./logs/certstore.log.%d(%F)"
+
diff --git a/roles/firewall/files/fw_ssl_plug-3.0.3.71f6bff-2.el7.x86_64.rpm b/roles/firewall/files/fw_ssl_plug-3.0.3.71f6bff-2.el7.x86_64.rpm
new file mode 100644
index 0000000..b10ecaf
--- /dev/null
+++ b/roles/firewall/files/fw_ssl_plug-3.0.3.71f6bff-2.el7.x86_64.rpm
diff --git a/roles/tfe/files/tfe-4.3.10.fb02543-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.10.fb02543-1.el7.x86_64.rpm
deleted file mode 100644
index 3cd49f8..0000000
--- a/roles/tfe/files/tfe-4.3.10.fb02543-1.el7.x86_64.rpm
+++ /dev/null
diff --git a/roles/tfe/files/tfe-4.3.11.90ac86a-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.11.90ac86a-1.el7.x86_64.rpm
new file mode 100644
index 0000000..ea69aca
--- /dev/null
+++ b/roles/tfe/files/tfe-4.3.11.90ac86a-1.el7.x86_64.rpm
diff --git a/roles/tfe/tasks/main.yml b/roles/tfe/tasks/main.yml
index d0123be..2dd609d 100644
--- a/roles/tfe/tasks/main.yml
+++ b/roles/tfe/tasks/main.yml
@@ -27,6 +27,11 @@
     src: "{{ role_path }}/templates/tfe.conf.j2"
     dest: /opt/tsg/tfe/conf/tfe/tfe.conf
 
+- name: "template the zlog.conf"
+  template:
+    src: "{{ role_path }}/templates/zlog.conf.j2"
+    dest: /opt/tsg/tfe/conf/tfe/zlog.conf
+
 - name: "template the future.conf"
   template:
     src: "{{ role_path }}/templates/future.conf.j2"
diff --git a/roles/tfe/templates/doh.conf.j2 b/roles/tfe/templates/doh.conf.j2
index bc38918..bcfa406 100755
--- a/roles/tfe/templates/doh.conf.j2
+++ b/roles/tfe/templates/doh.conf.j2
@@ -1,27 +1,13 @@
 [doh]
-# default 1
 enable=1
 
-[log]
-# default 10
-# RLOG_LV_DEBUG : 10
-# RLOG_LV_INFO  : 20
-# RLOG_LV_FATAL : 30
-log_level={{ doh_log_level }}
-
 [maat]
-# default TSG_OBJ_APP_ID
 table_appid=TSG_OBJ_APP_ID
-# default TSG_SECURITY_ADDR
 table_addr=TSG_SECURITY_ADDR
-# default TSG_FIELD_DOH_QNAME
 table_qname=TSG_FIELD_DOH_QNAME
-# default TSG_FIELD_HTTP_HOST
 table_host=TSG_FIELD_DOH_HOST
 
 [kafka]
-# default 0
 ENTRANCE_ID=0
-# default 1
 # if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1
 en_sendlog=1
diff --git a/roles/tfe/templates/future.conf.j2 b/roles/tfe/templates/future.conf.j2
index f83d5ec..80254b9 100755
--- a/roles/tfe/templates/future.conf.j2
+++ b/roles/tfe/templates/future.conf.j2
@@ -1,9 +1,10 @@
 [STAT]
 no_stats=0
-statsd_server=192.168.100.1
-statsd_port=8100
+statsd_server=127.0.0.1
+statsd_port=58100
 histogram_bins=0.50,0.80,0.9,0.95
 statsd_cycle=5
 # FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
 statsd_format=2
-print_diff=1
+# printf diff Not available
+# print_diff=1
diff --git a/roles/tfe/templates/pangu_pxy.conf.j2 b/roles/tfe/templates/pangu_pxy.conf.j2
index cf740ec..936d4b2 100644
--- a/roles/tfe/templates/pangu_pxy.conf.j2
+++ b/roles/tfe/templates/pangu_pxy.conf.j2
@@ -1,5 +1,5 @@
 [debug]
-log_level={{ pangu_log_level }}
+enable_plugin=1
 
 [log]
 # default 1, if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1
diff --git a/roles/tfe/templates/tfe.conf.j2 b/roles/tfe/templates/tfe.conf.j2
index 6766871..1a2f31c 100644
--- a/roles/tfe/templates/tfe.conf.j2
+++ b/roles/tfe/templates/tfe.conf.j2
@@ -6,7 +6,7 @@ enable_kni_v2=1
 # Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
 disable_coredump=0
 enable_breakpad=1
-enable_breakpad_upload=0
+enable_breakpad_upload=1
 breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025
 # must be /run/tfe/crashreport，due to tmpfile limit
 breakpad_minidump_dir=/run/tfe/crashreport
@@ -35,8 +35,10 @@ watchdog_switch=1
 watchdog_port=2476
 
 [ssl]
-ssl_max_version=tls13
-ssl_min_version=ssl3
+ssl_ja3_debug=0
+# ssl version Not available, configured via TSG website
+# ssl_max_version=tls13
+# ssl_min_version=ssl3
 ssl_compression=1
 no_ssl2=1
 no_ssl3=0
@@ -48,7 +50,7 @@ no_cert_verify=0
 
 # session ticket
 no_session_ticket=0
-stek_group_num=4
+stek_group_num=4096
 stek_rotation_time=3600
 
 # session cache
@@ -68,12 +70,10 @@ service_cache_fail_time_window=30
 check_cert_crl=0
 {% if tsg_running_type == 2 %}
 trusted_cert_load_local=1
-#trusted_cert_file=resource/tfe/tls-ca-bundle.pem
 trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
 {% else %}
-trusted_cert_load_local=0
+trusted_cert_load_local=1
 trusted_cert_file=resource/tfe/tls-ca-bundle.pem
-#trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
 {% endif %}
 trusted_cert_dir=resource/tfe/trusted_storage
 
@@ -131,21 +131,14 @@ tcp_user_timeout=600
 tcp_ttl_upstream=75
 tcp_ttl_downstream=70
 
-[log]
-level={{ tfe_log_level }}
-location=log/tfe.log
-
 [stat]
-statsd_server=192.168.100.1
-statsd_port=8100
+statsd_server=127.0.0.1
+statsd_port=58100
 statsd_cycle=5
 # 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
 statsd_format=2
 histogram_bins=0.5,0.8,0.9,0.95
 
-[http]
-loglevel={{ tfe_http_log_level }}
-
 [traffic_mirror]
 {% if tsg_running_type != 2 %}
 enable={{ tfe.mirror_enable }}
@@ -159,7 +152,6 @@ device={{ nic_traffic_mirror.name }}
 type=1
 {% endif %}
 
-
 [kafka]
 enable=1
 NIC_NAME={{ nic_mgr.name }}
diff --git a/roles/tfe/templates/zlog.conf.j2 b/roles/tfe/templates/zlog.conf.j2
new file mode 100644
index 0000000..5688880
--- /dev/null
+++ b/roles/tfe/templates/zlog.conf.j2
@@ -0,0 +1,20 @@
+# kill -s SIGHUP "pid"
+
+[global]
+
+default format = "%d(%c), %V, %F, %U, %m%n"
+
+[levels]
+
+DEBUG=10
+INFO=20
+FATAL=30
+
+[rules]
+
+*.fatal                         "./log/error.log.%d(%F)";
+tfe.{{ tfe_log_level }}         "./log/tfe.log.%d(%F)";
+http.{{ tfe_http_log_level }}   "./log/http.log.%d(%F)";
+http2.{{ tfe_http_log_level }}  "./log/http2.log.%d(%F)";
+doh.{{ doh_log_level }}         "./log/doh_pxy.log.%d(%F)";
+pangu.{{ pangu_log_level }}     "./log/pangu_pxy.log.%d(%F)";
+\ No newline at end of file
author	liuxueli <[email protected]>	2020-10-16 09:55:34 +0800
committer	liuxueli <[email protected]>	2020-10-16 09:55:34 +0800
commit	27f242ec8f662ebcaa2548da62dc32e0c82697e9 (patch)
tree	41f515a371f1d3eb2d3d2c34725dfbaefc53dc19
parent	b2c9836677a436c5afd90b42ff52f754bc2f0d98 (diff)
parent	44885b6f02866c96e947ba409af4e12d758b8945 (diff)