tfe 适配 container

11 files changed, 660 insertions, 17 deletions

diff --git a/config/tfe/doh/doh.conf b/config/tfe/doh/doh.conf
new file mode 100644
index 0000000..452ab41
--- /dev/null
+++ b/config/tfe/doh/doh.conf
@@ -0,0 +1,13 @@
+[doh]
+enable=0
+
+[maat]
+table_appid=TSG_OBJ_APP_ID
+table_addr=TSG_SECURITY_ADDR
+table_qname=TSG_FIELD_DOH_QNAME
+table_host=TSG_FIELD_DOH_HOST
+
+[kafka]
+ENTRANCE_ID=0
+# if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1
+en_sendlog=1
diff --git a/config/tfe/pangu/pangu_pxy.conf b/config/tfe/pangu/pangu_pxy.conf
new file mode 100644
index 0000000..7212c61
--- /dev/null
+++ b/config/tfe/pangu/pangu_pxy.conf
@@ -0,0 +1,92 @@
+[debug]
+enable_plugin=1
+
+[log]
+entrance_id=0
+# default 1, if enable "en_sendlog", the iterm "tfe.conf [kafka] enable" must set 1
+en_sendlog=0
+#Addresses of minio. Format is defined by WiredLB.
+minio_ip_list=192.168.44.10;
+minio_listen_port=9090
+#Maximum number of connections opened by per host.
+#MAX_CONNECTION_PER_HOST=1
+#Maximum number of requests in a pipeline.
+#MAX_CNNT_PIPELINE_NUM=20
+#Maximum parellel sessions(http and redis) is allowed to open.
+#MAX_CURL_SESSION_NUM=100
+#Maximum time the request is allowed to take(seconds).
+#MAX_CURL_TRANSFER_TIMEOUT_S=0
+
+#Bucket name in minio.
+cache_bucket_name=proxybucket
+#Maximum size of memory used by tango_cache_client. Upload will fail if the current size of memory used exceeds this value.
+max_used_memroy_size_mb=5120
+#Default TTL of objects, i.e. the time after which the object will expire(minumun 60s, i.e. 1 minute).
+cache_default_ttl_second=3600
+#Whether to hash the object key before cache actions. GET/PUT may be faster if you open it.
+cache_object_key_hash_switch=1
+
+#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
+cache_store_object_way=0
+#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
+redis_cache_object_size=1024000
+#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
+redis_cluster_addrs=192.168.10.62-63;
+
+#Configs of WiredLB for Minios load balancer.
+wiredlb_override=1
+wiredlb_topic=MinioFileLog
+wiredlb_datacenter=k18consul-tse
+wiredlb_health_port=8560
+wiredlb_group=FileLog
+
+log_fsstat_appname=tango_log_file
+log_fsstat_filepath=./tango_log_file.fs
+log_fsstat_interval=10
+log_fsstat_trig=1
+log_fsstat_dst_ip=10.4.20.202
+log_fsstat_dst_port=8125
+
+[ratelimit]
+enable=0
+token_name=ratelimit
+redis_server=192.168.44.72
+redis_port=7002
+redis_db_index=6
+
+[tango_cache]
+enable_cache=0
+min_cache_obj_size=512
+#minio ip, as wiredlb required
+minio_ip_list=192.168.10.61-64;
+minio_listen_port=9000
+
+#max_connection_per_host=1
+max_cnnt_pipeline_num=20
+#max_curl_session_num=100
+
+cache_bucket_name=proxybucket
+max_used_memory_size_mb=10240
+cache_default_ttl_second=3600
+cache_object_key_hash_switch=1
+
+#1-minio，2-redis
+#Store way: 0-MINIO; 1-META in REDIS, object in minio; 2-META and small object in Redis, large object in minio;
+cache_store_object_way=0
+#If CACHE_STORE_OBJECT_WAY is 2 and the size of a object is not bigger than this value, object will be stored in redis.
+redis_cache_object_size=102400
+#If CACHE_STORE_OBJECT_WAY is not 0, we will use redis to store meta and object.
+redis_cluster_addrs=192.168.10.62-63;
+
+#wired load balancer configuration
+wiredlb_override=1
+wiredlb_topic=MinioCache
+wiredlb_datacenter=k18consul-tse
+wiredlb_health_port=52101
+wiredlb_group=TangoCache
+
+cache_undefined_obj=1
+query_undefined_obj=0
+statsd_server=192.168.10.72
+statsd_port=8126
+histogram_bins=0.20,0.40,0.6,0.8
diff --git a/config/tfe/tfe/future.conf b/config/tfe/tfe/future.conf
new file mode 100644
index 0000000..f1ef8b0
--- /dev/null
+++ b/config/tfe/tfe/future.conf
@@ -0,0 +1,10 @@
+[STAT]
+no_stats=0
+statsd_server=127.0.0.1
+statsd_port=8100
+histogram_bins=0.50,0.80,0.9,0.95
+statsd_cycle=5
+# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+statsd_format=2
+# printf diff Not available
+# print_diff=1
diff --git a/config/tfe/tfe/tfe.conf b/config/tfe/tfe/tfe.conf
new file mode 100644
index 0000000..977e5d6
--- /dev/null
+++ b/config/tfe/tfe/tfe.conf
@@ -0,0 +1,178 @@
+[system]
+nr_worker_threads=8
+enable_kni_v1=0
+enable_kni_v2=0
+enable_kni_v3=1
+
+# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
+disable_coredump=0
+enable_breakpad=1
+enable_breakpad_upload=1
+breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025
+# must be /run/tfe/crashreport，due to tmpfile limit
+breakpad_minidump_dir=/run/tfe/crashreport
+
+# ask for at least (1 + nr_worker_threads) masks
+# the first  mask for acceptor thread
+# the others mask for worker   thread
+enable_cpu_affinity=1
+cpu_affinity_mask=1-9
+# LEAST_CONN = 0; ROUND_ROBIN = 1
+load_balance=1
+
+[kni]
+# kni v1
+#uxdomain=/var/run/.tfe_kni_acceptor_handler
+# kni v2
+#scm_socket_file=/var/run/.tfe_kmod_scm_socket
+
+# send cmsg
+send_switch=0
+ip=192.168.100.1
+cmsg_port=2475
+
+# watch dog
+watchdog_switch=0
+watchdog_port=2476
+
+[ssl]
+ssl_ja3_debug=0
+ssl_ja3_table=PXY_SSL_FINGERPRINT
+# ssl version Not available, configured via TSG website
+# ssl_max_version=tls13
+# ssl_min_version=ssl3
+ssl_compression=1
+no_ssl2=1
+no_ssl3=0
+no_tls10=0
+no_tls11=0
+no_tls12=0
+default_ciphers=ALL:-aNULL
+no_cert_verify=0
+
+# session ticket
+no_session_ticket=0
+stek_group_num=4096
+stek_rotation_time=3600
+
+# session cache
+no_session_cache=0
+session_cache_slots=4194304
+session_cache_expire_seconds=1800
+
+# service cache
+service_cache_slots=4194304
+service_cache_expire_seconds=300
+service_cache_fail_as_pinning_cnt=4
+service_cache_fail_as_proto_err_cnt=5
+service_cache_fail_time_window=30
+
+# cert
+check_cert_crl=0
+trusted_cert_load_local=0
+#trusted_cert_file=resource/tfe/tls-ca-bundle.pem
+trusted_cert_file=resource/tfe/tsg_diagonse_ca.pem
+trusted_cert_dir=resource/tfe/trusted_storage
+
+# master key
+log_master_key=0
+key_log_file=log/sslkeylog.log
+
+# mid cert cache
+mc_cache_enable=0
+mc_cache_eth=eth0
+mc_cache_broker_list=192.168.44.11:9092,192.168.44.14:9092,192.168.44.15:9092
+mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
+
+[key_keeper]
+#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
+#0 on cache 1 off cache
+no_cache=0
+mode=normal
+cert_store_host=192.168.40.21
+cert_store_port=9991
+ca_path=resource/tfe/tango-ca-trust-ca.pem
+untrusted_ca_path=resource/tfe/tango-ca-untrust-ca.pem
+hash_slot_size=131072
+hash_expire_seconds=300
+cert_expire_time=24
+
+# health_check only for "mode=normal" default 1
+enable_health_check=1
+
+[debug]
+# 1 : enforce tcp passthrough
+# 0 : Whether to passthrough depends on the tcp_options in cmsg
+passthrough_all_tcp=0
+
+[ratelimit]
+read_rate=0
+read_burst=0
+write_rate=0
+write_burst=0
+
+[tcp]
+# read rcv_buff/snd_buff options from tfe conf
+sz_rcv_buffer=-1
+sz_snd_buffer=-1
+
+# 1 : use tcp_options in tfe.conf
+# 0 : use tcp_options in cmsg
+enable_overwrite=0
+tcp_nodelay=1
+so_keepalive=1
+tcp_keepcnt=8
+tcp_keepintvl=15
+tcp_keepidle=30
+tcp_user_timeout=600
+tcp_ttl_upstream=75
+tcp_ttl_downstream=70
+
+[stat]
+statsd_server=127.0.0.1
+statsd_port=8100
+statsd_cycle=5
+# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
+statsd_format=2
+histogram_bins=0.5,0.8,0.9,0.95
+statsd_set_prometheus_port=9001
+statsd_set_prometheus_url_path=/metrics
+
+[traffic_mirror]
+enable=0
+device=ens8f2
+# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
+type=1
+table_info=resource/pangu/table_info_traffic_mirror.conf
+stat_file=log/traffic_mirror.status
+
+[kafka]
+enable=0
+NIC_NAME=eth0
+kafka_brokerlist=192.168.44.11:9092,192.168.44.14:9092,192.168.44.15:9092
+kafka_topic=PROXY-EVENT-LOG
+device_id_filepath=/opt/tsg/etc/tsg_sn.json
+
+[maat]
+# 0:json 1:redis 2:iris
+maat_input_mode=1
+stat_switch=1
+perf_switch=1
+table_info=resource/pangu/table_info.conf
+accept_path=/opt/tsg/etc/tsg_device_tag.json
+accept_tag_key=device_id
+stat_file=log/pangu_scan.fs2
+effect_interval_s=1
+deferred_load_on=0
+
+# json mode conf iterm
+json_cfg_file=resource/pangu/pangu_http.json
+
+# redis mode conf iterm
+maat_redis_server=192.168.44.72
+maat_redis_port_range=7002
+maat_redis_db_index=0
+
+# iris mode conf iterm
+full_cfg_dir=pangu_policy/full/index/
+inc_cfg_dir=pangu_policy/inc/index/
diff --git a/config/tfe/tfe/zlog.conf b/config/tfe/tfe/zlog.conf
new file mode 100644
index 0000000..70e3f72
--- /dev/null
+++ b/config/tfe/tfe/zlog.conf
@@ -0,0 +1,20 @@
+# kill -s SIGHUP "pid"
+
+[global]
+
+default format = "%d(%c), %V, %F, %U, %m%n"
+
+[levels]
+
+DEBUG=10
+INFO=20
+FATAL=30
+
+[rules]
+
+*.fatal        "./log/error.log.%d(%F)";
+tfe.DEBUG      "./log/tfe.log.%d(%F)";
+http.DEBUG     "./log/http.log.%d(%F)";
+http2.DEBUG    "./log/http2.log.%d(%F)";
+doh.DEBUG      "./log/doh_pxy.log.%d(%F)";
+pangu.DEBUG    "./log/pangu_pxy.log.%d(%F)";
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 00d5c7b..da3e06f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,3 +18,23 @@ services:
      - ./config/sapp_run/tsgconf/maat.conf:/home/mesasoft/sapp_run/tsgconf/maat.conf
      - ./config/sapp_run/conf/capture_packet_plug.conf:/home/mesasoft/sapp_run/conf/capture_packet_plug.conf
      - /etc/localtime:/etc/localtime:ro
+  tfe:
+    build:
+      context: ./dockerfile/tfe
+      dockerfile: Dockerfile
+    image: "tfe-v4.4"
+    container_name: "tfe-container-v4.4"
+    security_opt:
+     - seccomp:unconfined
+    cap_add:
+     - NET_ADMIN
+     - SYS_PTRACE
+    devices:
+     - "/dev/net/tun:/dev/net/tun"
+    volumes:
+     - ./config/tfe/doh/doh.conf:/opt/tsg/tfe/conf/doh/doh.conf
+     - ./config/tfe/pangu/pangu_pxy.conf:/opt/tsg/tfe/conf/pangu/pangu_pxy.conf
+     - ./config/tfe/tfe/future.conf:/opt/tsg/tfe/conf/tfe/future.conf
+     - ./config/tfe/tfe/tfe.conf:/opt/tsg/tfe/conf/tfe/tfe.conf
+     - ./config/tfe/tfe/zlog.conf:/opt/tsg/tfe/conf/tfe/zlog.conf
+     - /etc/localtime:/etc/localtime:ro
diff --git a/dockerfile/tfe/Dockerfile b/dockerfile/tfe/Dockerfile
index 3bba4df..0d2ac47 100644
--- a/dockerfile/tfe/Dockerfile
+++ b/dockerfile/tfe/Dockerfile
@@ -1,39 +1,52 @@
-FROM centos:7
+FROM docker.io/centos:7
 
-COPY  MESA-Framework.repo /etc/yum.repos.d/
+COPY MESA-Framework.repo /etc/yum.repos.d/
+COPY framework.conf /etc/ld.so.conf.d/
 
-RUN yum makecache && yum install  -y \
+RUN yum makecache && yum install -y \
+  mrzcpd \
+  numactl \
+  zlib \
+  librdkafka \
+  systemd \
   libcjson \
-  libdocumentanalyze \
   libmaatframe \
-  libMESA_field_stat \
   libMESA_field_stat2 \
   libMESA_handle_logger \
-  libMESA_htable\
+  libMESA_htable \
   libMESA_prof_load \
-  librdkafka \
   librulescan \
-  libtsglua \
   libwiredcfg \
   libWiredLB \
-  lz4 \
+  sapp \
   libbreakpad_mini \
-  mrzcpd \
-  tfe
+  libmnl \
+  libnfnetlink \
+  iptables \
+  iproute \
+  && ldconfig
 
 RUN yum install -y \
   epel-release \
-  python3 \
   gdb \
-  numactl \
+  strace \
+  htop \
   tcpdump \
   net-tools \
+  curl \
   vim \
-  && pip3 install supervisor \ 
+  python3 \
+  && pip3 install supervisor \
   && yum clean all
 
-CMD tail -f /dev/null
-  
+COPY tfe-env.sh /opt/tsg/tfe/
+COPY tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm /root/
+RUN rpm -ivh /root/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm && chmod o+x /opt/tsg/tfe/tfe-env.sh
+COPY supervisord.conf /etc/supervisord/
+
+WORKDIR /opt/tsg/tfe/
 
-#ENTRYPOINT ["cat","/root/test.txt"]
+ENTRYPOINT ["/usr/local/bin/supervisord", "-n", "-c", "/etc/supervisord/supervisord.conf"]
 
+# docker run -it --cap-add=NET_ADMIN --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --device /dev/net/tun:/dev/net/tun tfe:v1 /bin/bash
+# supervisorctl -c /etc/supervisord/supervisord.conf status
\ No newline at end of file
diff --git a/dockerfile/tfe/framework.conf b/dockerfile/tfe/framework.conf
new file mode 100644
index 0000000..a7a8844
--- /dev/null
+++ b/dockerfile/tfe/framework.conf
@@ -0,0 +1 @@
+/opt/MESA/lib/
\ No newline at end of file
diff --git a/dockerfile/tfe/supervisord.conf b/dockerfile/tfe/supervisord.conf
new file mode 100644
index 0000000..3cd3cc9
--- /dev/null
+++ b/dockerfile/tfe/supervisord.conf
@@ -0,0 +1,188 @@
+; Sample supervisor config file.
+;
+; For more information on the config file, please see:
+; http://supervisord.org/configuration.html
+;
+; Notes:
+;  - Shell expansion ("~" or "$HOME") is not supported.  Environment
+;    variables can be expanded using this syntax: "%(ENV_HOME)s".
+;  - Quotes around values are not supported, except in the case of
+;    the environment= options as shown below.
+;  - Comments must have a leading space: "a=b ;comment" not "a=b;comment".
+;  - Command will be truncated if it looks like a config file comment, e.g.
+;    "command=bash -c 'foo ; bar'" will truncate to "command=bash -c 'foo ".
+;
+; Warning:
+;  Paths throughout this example file use /tmp because it is available on most
+;  systems.  You will likely need to change these to locations more appropriate
+;  for your system.  Some systems periodically delete older files in /tmp.
+;  Notably, if the socket file defined in the [unix_http_server] section below
+;  is deleted, supervisorctl will be unable to connect to supervisord.
+
+[unix_http_server]
+file=/var/run/supervisor.sock   ; the path to the socket file
+;chmod=0700                 ; socket file mode (default 0700)
+;chown=nobody:nogroup       ; socket file uid:gid owner
+;username=user              ; default is no username (open server)
+;password=123               ; default is no password (open server)
+
+; Security Warning:
+;  The inet HTTP server is not enabled by default.  The inet HTTP server is
+;  enabled by uncommenting the [inet_http_server] section below.  The inet
+;  HTTP server is intended for use within a trusted environment only.  It
+;  should only be bound to localhost or only accessible from within an
+;  isolated, trusted network.  The inet HTTP server does not support any
+;  form of encryption.  The inet HTTP server does not use authentication
+;  by default (see the username= and password= options to add authentication).
+;  Never expose the inet HTTP server to the public internet.
+
+;[inet_http_server]         ; inet (TCP) server disabled by default
+;port=127.0.0.1:9001        ; ip_address:port specifier, *:port for all iface
+;username=user              ; default is no username (open server)
+;password=123               ; default is no password (open server)
+
+[supervisord]
+logfile=/tmp/supervisord.log ; main log file; default $CWD/supervisord.log
+logfile_maxbytes=50MB        ; max main logfile bytes b4 rotation; default 50MB
+logfile_backups=10           ; # of main logfile backups; 0 means none, default 10
+loglevel=info                ; log level; default info; others: debug,warn,trace
+pidfile=/var/run/supervisord.pid ; supervisord pidfile; default supervisord.pid
+nodaemon=false               ; start in foreground if true; default false
+silent=false                 ; no logs to stdout if true; default false
+minfds=1024                  ; min. avail startup file descriptors; default 1024
+minprocs=200                 ; min. avail process descriptors;default 200
+;umask=022                   ; process file creation umask; default 022
+;user=supervisord            ; setuid to this UNIX account at startup; recommended if root
+;identifier=supervisor       ; supervisord identifier, default is 'supervisor'
+;directory=/tmp              ; default is not to cd during start
+;nocleanup=true              ; don't clean up tempfiles at start; default false
+;childlogdir=/tmp            ; 'AUTO' child log dir, default $TEMP
+;environment=KEY="value"     ; key value pairs to add to environment
+;strip_ansi=false            ; strip ansi escape codes in logs; def. false
+
+; The rpcinterface:supervisor section must remain in the config file for
+; RPC (supervisorctl/web interface) to work.  Additional interfaces may be
+; added by defining them in separate [rpcinterface:x] sections.
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+; The supervisorctl section configures how supervisorctl will connect to
+; supervisord.  configure it match the settings in either the unix_http_server
+; or inet_http_server section.
+
+[supervisorctl]
+serverurl=unix:///var/run/supervisor.sock ; use a unix:// URL  for a unix socket
+;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
+;username=chris              ; should be same as in [*_http_server] if set
+;password=123                ; should be same as in [*_http_server] if set
+;prompt=mysupervisor         ; cmd line prompt (default "supervisor")
+;history_file=~/.sc_history  ; use readline history if available
+
+; The sample program section below shows all possible program subsection values.
+; Create one or more 'real' program: sections to be able to control them under
+; supervisor.
+
+;[program:theprogramname]
+;command=/bin/cat              ; the program (relative uses PATH, can take args)
+;process_name=%(program_name)s ; process_name expr (default %(program_name)s)
+;numprocs=1                    ; number of processes copies to start (def 1)
+;directory=/tmp                ; directory to cwd to before exec (def no cwd)
+;umask=022                     ; umask for process (default None)
+;priority=999                  ; the relative start priority (default 999)
+;autostart=true                ; start at supervisord start (default: true)
+;startsecs=1                   ; # of secs prog must stay up to be running (def. 1)
+;startretries=3                ; max # of serial start failures when starting (default 3)
+;autorestart=unexpected        ; when to restart if exited after running (def: unexpected)
+;exitcodes=0                   ; 'expected' exit codes used with autorestart (default 0)
+;stopsignal=QUIT               ; signal used to kill process (default TERM)
+;stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
+;stopasgroup=false             ; send stop signal to the UNIX process group (default false)
+;killasgroup=false             ; SIGKILL the UNIX process group (def false)
+;user=chrism                   ; setuid to this UNIX account to run the program
+;redirect_stderr=true          ; redirect proc stderr to stdout (default false)
+;stdout_logfile=/a/path        ; stdout log path, NONE for none; default AUTO
+;stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
+;stdout_logfile_backups=10     ; # of stdout logfile backups (0 means none, default 10)
+;stdout_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
+;stdout_events_enabled=false   ; emit events on stdout writes (default false)
+;stdout_syslog=false           ; send stdout to syslog with process name (default false)
+;stderr_logfile=/a/path        ; stderr log path, NONE for none; default AUTO
+;stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
+;stderr_logfile_backups=10     ; # of stderr logfile backups (0 means none, default 10)
+;stderr_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
+;stderr_events_enabled=false   ; emit events on stderr writes (default false)
+;stderr_syslog=false           ; send stderr to syslog with process name (default false)
+;environment=A="1",B="2"       ; process environment additions (def no adds)
+;serverurl=AUTO                ; override serverurl computation (childutils)
+
+; The sample eventlistener section below shows all possible eventlistener
+; subsection values.  Create one or more 'real' eventlistener: sections to be
+; able to handle event notifications sent by supervisord.
+
+;[eventlistener:theeventlistenername]
+;command=/bin/eventlistener    ; the program (relative uses PATH, can take args)
+;process_name=%(program_name)s ; process_name expr (default %(program_name)s)
+;numprocs=1                    ; number of processes copies to start (def 1)
+;events=EVENT                  ; event notif. types to subscribe to (req'd)
+;buffer_size=10                ; event buffer queue size (default 10)
+;directory=/tmp                ; directory to cwd to before exec (def no cwd)
+;umask=022                     ; umask for process (default None)
+;priority=-1                   ; the relative start priority (default -1)
+;autostart=true                ; start at supervisord start (default: true)
+;startsecs=1                   ; # of secs prog must stay up to be running (def. 1)
+;startretries=3                ; max # of serial start failures when starting (default 3)
+;autorestart=unexpected        ; autorestart if exited after running (def: unexpected)
+;exitcodes=0                   ; 'expected' exit codes used with autorestart (default 0)
+;stopsignal=QUIT               ; signal used to kill process (default TERM)
+;stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
+;stopasgroup=false             ; send stop signal to the UNIX process group (default false)
+;killasgroup=false             ; SIGKILL the UNIX process group (def false)
+;user=chrism                   ; setuid to this UNIX account to run the program
+;redirect_stderr=false         ; redirect_stderr=true is not allowed for eventlisteners
+;stdout_logfile=/a/path        ; stdout log path, NONE for none; default AUTO
+;stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
+;stdout_logfile_backups=10     ; # of stdout logfile backups (0 means none, default 10)
+;stdout_events_enabled=false   ; emit events on stdout writes (default false)
+;stdout_syslog=false           ; send stdout to syslog with process name (default false)
+;stderr_logfile=/a/path        ; stderr log path, NONE for none; default AUTO
+;stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
+;stderr_logfile_backups=10     ; # of stderr logfile backups (0 means none, default 10)
+;stderr_events_enabled=false   ; emit events on stderr writes (default false)
+;stderr_syslog=false           ; send stderr to syslog with process name (default false)
+;environment=A="1",B="2"       ; process environment additions
+;serverurl=AUTO                ; override serverurl computation (childutils)
+
+; The sample group section below shows all possible group values.  Create one
+; or more 'real' group: sections to create "heterogeneous" process groups.
+
+;[group:thegroupname]
+;programs=progname1,progname2  ; each refers to 'x' in [program:x] definitions
+;priority=999                  ; the relative start priority (default 999)
+
+; The [include] section can just contain the "files" setting.  This
+; setting can list multiple files (separated by whitespace or
+; newlines).  It can also contain wildcards.  The filenames are
+; interpreted as relative to this file.  Included files *cannot*
+; include files themselves.
+
+;[include]
+;files = relative/directory/*.ini
+
+[program:tfe-env]
+user=root
+Command=bash -c "/opt/tsg/tfe/tfe-env.sh start"
+directory=/opt/tsg/tfe/
+
+startsecs=0
+startretries=0
+autorestart=false
+
+[program:tfe]
+user=root
+Command="/opt/tsg/tfe/bin/tfe"
+directory=/opt/tsg/tfe/
+
+autostart=true
+startsecs=1
+startretries=3
\ No newline at end of file
diff --git a/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm b/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm
new file mode 100644
index 0000000..4885842
--- /dev/null
+++ b/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm
diff --git a/dockerfile/tfe/tfe-env.sh b/dockerfile/tfe/tfe-env.sh
new file mode 100644
index 0000000..b6e4dcf
--- /dev/null
+++ b/dockerfile/tfe/tfe-env.sh
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+INCOMING_DEVICE=tun_kni
+
+LOCAL_MAC_ADDR=fe:65:b7:00:00:01
+PEER_MAC_ADDR=aa:bb:cc:dd:ee:ff
+
+LOCAL_IP_ADDR=172.16.241.2
+PEER_IP_ADDR=172.16.241.1
+
+start_fun()
+{
+	# 创建虚拟网卡
+	/usr/sbin/ip tuntap add dev ${INCOMING_DEVICE} mode tun one_queue
+
+	# 设置网卡的 MAC
+	/usr/sbin/ip link set ${INCOMING_DEVICE} address ${LOCAL_MAC_ADDR}
+	# 设置网卡的状态
+	/usr/sbin/ip link set ${INCOMING_DEVICE} up
+	/usr/sbin/ip addr flush dev ${INCOMING_DEVICE}
+
+	# 设置网卡的 IPv4 地址
+	/usr/sbin/ip addr add ${LOCAL_IP_ADDR}/30 dev ${INCOMING_DEVICE}
+
+	# 刷新网卡的 ARP
+	# /usr/sbin/ip neigh flush dev ${INCOMING_DEVICE}
+	# 将 PEER 的 IP / MAC 加入到本地设备的 ARP 表中
+	#/usr/sbin/ip neigh add ${PEER_IP_ADDR} lladdr ${PEER_MAC_ADDR} dev ${INCOMING_DEVICE} nud permanent
+
+	###########################################################################
+	# policy route v4
+	###########################################################################
+
+	# 流入的流量走 100 号路由表
+	/usr/sbin/ip rule add iif ${INCOMING_DEVICE} tab 100
+	/usr/sbin/ip route add local default dev lo table 100
+	
+	# 流出的带 0x65 的流量走 101 号路由表
+	/usr/sbin/ip rule add fwmark 0x65 lookup 101
+	/usr/sbin/ip route add default dev ${INCOMING_DEVICE} via ${PEER_IP_ADDR} table 101
+
+	###########################################################################
+	# policy route v6
+	###########################################################################
+	
+	# 设置网卡的 IPv6 地址
+	/usr/sbin/ip addr add fd00::02/64 dev ${INCOMING_DEVICE}
+
+	/usr/sbin/ip -6 route add default via fd00::01
+
+	# 流入的流量走 102 号路由表
+	/usr/sbin/ip -6 rule add iif ${INCOMING_DEVICE} tab 102
+	/usr/sbin/ip -6 route add local default dev lo table 102
+
+	# 将 PEER 的 IP / MAC 加入到本地设备的 ARP 表中
+	#/usr/sbin/ip -6 neigh add fd00::01 lladdr ${PEER_MAC_ADDR} dev ${INCOMING_DEVICE} nud permanent
+
+	###########################################################################
+	# iptables netfilter
+	###########################################################################
+	iptables -A INPUT -i ${INCOMING_DEVICE} -m bpf --bytecode '14,48 0 0 0,84 0 0 240,21 0 10 64,48 0 0 9,21 0 8 6,40 0 0 6,69 6 0 8191,177 0 0 0,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1
+}
+
+stop_fun()
+{
+	iptables -F
+
+	/usr/sbin/ip rule del iif ${INCOMING_DEVICE} tab 100
+	/usr/sbin/ip route del local default dev lo table 100
+
+	/usr/sbin/ip rule del fwmark 0x65 lookup 101
+	/usr/sbin/ip route del default dev ${INCOMING_DEVICE} via ${PEER_IP_ADDR} table 101
+
+	/usr/sbin/ip -6 rule del iif ${INCOMING_DEVICE} tab 102
+	/usr/sbin/ip -6 route del default via fd00::01
+	/usr/sbin/ip -6 route del local default dev lo table 102
+
+	/usr/sbin/ip addr del fd00::02/64 dev ${INCOMING_DEVICE}
+
+	/usr/sbin/ip link set ${INCOMING_DEVICE} down
+	
+	# 删除虚拟网卡
+	/usr/sbin/ip tuntap del dev ${INCOMING_DEVICE} mode tap
+}
+
+status_fun()
+{
+	iptables -L
+}
+
+case "$1" in
+	start)
+		start_fun
+		;;
+	stop)
+		stop_fun
+		;;
+	restart)
+		stop_fun
+		start_fun
+		;;
+	status)
+		status_fun
+		;;
+	*)
+	echo "Usage: $0 {start|stop|status|restart}"
+esac
+exit 0