diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0cc09d6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +# 忽略所有 .DS_Store 文件 +*.DS_Store + +# 忽略 playbooks/deepflow 目录下的 tar.gz 文件 +playbooks/deepflow/*.zip +playbooks/deepflow/*.tar.gz +playbooks/deepflow/deepflow-agent-playbook/*.zip diff --git a/playbooks/deepflow/deepflow-agent-playbook/Readme.md b/playbooks/deepflow/deepflow-agent-playbook/Readme.md new file mode 100644 index 0000000..7ab68e6 --- /dev/null +++ b/playbooks/deepflow/deepflow-agent-playbook/Readme.md @@ -0,0 +1,2 @@ +ansible-playbook -i inventory/js2_hosts.ini playbook.yml -e "ansible_ssh_user=ubuntu area=js2" -D -C +ansible-playbook -i inventory/js2_hosts.ini playbook.yml -e "ansible_ssh_user=ubuntu area=js2" -D diff --git a/playbooks/deepflow/deepflow-agent-playbook/inventory/js2_hosts.ini b/playbooks/deepflow/deepflow-agent-playbook/inventory/js2_hosts.ini new file mode 100644 index 0000000..5e45dd9 --- /dev/null +++ b/playbooks/deepflow/deepflow-agent-playbook/inventory/js2_hosts.ini @@ -0,0 +1,8 @@ +[js2] +10.200.11.[1:24] + +[all:vars] +ansible_port=22 +ansible_ssh_user=ubuntu +ansible_host_key_checking=False +ansible_ssh_private_key_file=~/.ssh/id_rsa diff --git a/playbooks/deepflow/deepflow-agent-playbook/playbook.yml b/playbooks/deepflow/deepflow-agent-playbook/playbook.yml new file mode 100644 index 0000000..f153d7f --- /dev/null +++ b/playbooks/deepflow/deepflow-agent-playbook/playbook.yml @@ -0,0 +1,10 @@ +- name: DeepFlow Agent Upgrade for 区域节点 + hosts: all + become: true + gather_facts: false + vars: + area: js2 + upgrade_zip_path: ./DeepFlow-Agent-Upgrade-20250523.zip + roles: + - deepflow_upgrade + diff --git a/playbooks/deepflow/deepflow-agent-playbook/roles/deepflow_upgrade/tasks/main.yml b/playbooks/deepflow/deepflow-agent-playbook/roles/deepflow_upgrade/tasks/main.yml new file mode 100644 index 0000000..0301238 --- /dev/null +++ b/playbooks/deepflow/deepflow-agent-playbook/roles/deepflow_upgrade/tasks/main.yml @@ -0,0 +1,16 @@ +- name: Sync upgrade package to remote using rsync + synchronize: + src: "{{ upgrade_zip_path }}" + dest: /tmp/ + mode: push + +- name: Unzip upgrade package + unarchive: + src: "/tmp/{{ upgrade_zip_path | basename }}" + dest: /tmp/ + remote_src: yes + +- name: Execute upgrade script + command: bash update_agent.sh --area {{ area }} + args: + chdir: /tmp/DeepFlow-Agent-Upgrade diff --git a/scripts/deepflow-agent-batch-tools-v1.0.sh b/scripts/deepflow-agent-batch-tools-v1.0.sh new file mode 100644 index 0000000..26f3d57 --- /dev/null +++ b/scripts/deepflow-agent-batch-tools-v1.0.sh @@ -0,0 +1,265 @@ +#!/bin/bash +# FIX config vtap-group-id-request 20250612-15:10 + +set -e + +#################################### +# 🌐 配置区 +#################################### + +IP_LIST="./ip.list" +SERVICE_NAME="deepflow-agent" +PKG_DIR="deepflow-agent-for-linux" +MAX_PARALLEL=5 + +CONTROLLER_IP="" +VTAP_GROUP_ID="" +LIMIT="" + +SSH_OPTS="-o StrictHostKeyChecking=no -o ConnectTimeout=15" + +FAILED_FILE="failed_hosts.txt" +SUCCESS_FILE="success_hosts.txt" +> "$FAILED_FILE" +> "$SUCCESS_FILE" + +#################################### +# 参数解析 +#################################### + +if [[ $# -eq 0 ]]; then + echo "用法: $0 {deploy|upgrade|verify} --controller --group [--limit ip1,ip2]" + exit 1 +fi + +ACTION="$1" +shift + +while [[ $# -gt 0 ]]; do + case "$1" in + --controller) + CONTROLLER_IP="$2" + shift 2 + ;; + --group) + VTAP_GROUP_ID="$2" + shift 2 + ;; + --limit) + LIMIT="$2" + shift 2 + ;; + *) + echo "未知参数: $1" + exit 1 + ;; + esac +done + +if [[ "$ACTION" != "deploy" && "$ACTION" != "upgrade" && "$ACTION" != "verify" ]]; then + echo "用法: $0 {deploy|upgrade|verify} --controller --group [--limit ip1,ip2]" + exit 1 +fi + +if [[ "$ACTION" != "verify" && ( -z "$CONTROLLER_IP" || -z "$VTAP_GROUP_ID" ) ]]; then + echo "❗ deploy/upgrade 必须传入 --controller 和 --group 参数" + exit 1 +fi + +#################################### +# 核心函数 +#################################### + +worker() { + local ip="$1" + local user="$2" + local pass="$3" + + echo "🔧 [$ACTION] 处理主机 $ip ($user)" + + if [[ "$ACTION" == "verify" ]]; then + verify_agent "$ip" "$user" "$pass" && { + echo "$ip" >> "$SUCCESS_FILE" + return + } || { + echo "$ip" >> "$FAILED_FILE" + return + } + fi + + remote_info=$(fetch_remote_info "$ip" "$user" "$pass") || { + echo "❌ $ip 获取远程信息失败" + echo "$ip" >> "$FAILED_FILE" + return + } + + arch=$(echo "$remote_info" | cut -d'|' -f1) + init=$(echo "$remote_info" | cut -d'|' -f2) + + if [[ "$init" == "unknown" ]]; then + echo "❌ $ip 不支持的初始化系统: $init" + echo "$ip" >> "$FAILED_FILE" + return + fi + + pkg_path=$(choose_agent_package "$arch" "$init") + + if [[ "$pkg_path" == "UNSUPPORTED" ]]; then + echo "❌ $ip 无匹配安装包: $arch/$init" + echo "$ip" >> "$FAILED_FILE" + return + fi + + install_agent "$ip" "$user" "$pass" "$pkg_path" && update_config "$ip" "$user" "$pass" && { + echo "✅ $ip $ACTION 完成" + echo "$ip" >> "$SUCCESS_FILE" + } || { + echo "❌ $ip 安装或配置失败" + echo "$ip" >> "$FAILED_FILE" + } + + echo "-------------------------------------------" +} + +fetch_remote_info() { + local ip="$1" user="$2" pass="$3" + + sshpass -p "$pass" ssh $SSH_OPTS "$user@$ip" bash <<'EOF' +arch=$(uname -m) +case "$arch" in + aarch64|arm64) arch="arm" ;; + *) arch="x86" ;; +esac + +if command -v systemctl >/dev/null; then init=systemd; +elif command -v initctl >/dev/null; then init=upstart; +else init=unknown; fi + +echo "${arch}|${init}" +EOF +} + +choose_agent_package() { + local arch="$1" init="$2" + + shopt -s nullglob + + declare -a patterns + + if [[ "$arch" == "arm" ]]; then + patterns=("$PKG_DIR"/deepflow-agent-*.$init.aarch64.*) + else + patterns=("$PKG_DIR"/deepflow-agent-*.$init-x86.* \ + "$PKG_DIR"/deepflow-agent-*.$init.*) + fi + + files=() + + for pattern in "${patterns[@]}"; do + for file in $pattern; do + files+=("$file") + done + done + + if [[ ${#files[@]} -gt 0 ]]; then + latest=$(printf "%s\n" "${files[@]}" | sort -V | tail -1) + echo "🎯 选择安装包: $latest" >&2 + echo "$latest" + else + echo "UNSUPPORTED" + fi +} + +install_agent() { + local ip="$1" user="$2" pass="$3" pkg_path="$4" + local remote_pkg="/tmp/agent.${pkg_path##*.}" + + sshpass -p "$pass" scp $SSH_OPTS "$pkg_path" "$user@$ip:$remote_pkg" + + sshpass -p "$pass" ssh $SSH_OPTS "$user@$ip" bash </dev/null; then SUDO="sudo"; else SUDO=""; fi + +if [[ "$remote_pkg" == *.rpm ]]; then + \$SUDO rpm -Uvh --replacepkgs "$remote_pkg" +elif [[ "$remote_pkg" == *.deb ]]; then + \$SUDO dpkg -i "$remote_pkg" || \$SUDO apt-get install -f -y +else + echo "❌ 不支持的安装包格式" + exit 1 +fi + +if command -v systemctl &>/dev/null; then + \$SUDO systemctl enable $SERVICE_NAME + \$SUDO systemctl restart $SERVICE_NAME +elif command -v service &>/dev/null; then + \$SUDO service $SERVICE_NAME restart + \$SUDO chkconfig $SERVICE_NAME on +elif command -v initctl &>/dev/null; then + \$SUDO initctl restart $SERVICE_NAME || \$SUDO initctl start $SERVICE_NAME +else + echo "❌ 无法识别服务管理方式" +fi +EOF +} + +update_config() { + local ip="$1" user="$2" pass="$3" + sshpass -p "$pass" ssh $SSH_OPTS "$user@$ip" bash </dev/null; then SUDO="sudo"; else SUDO=""; fi +CONFIG_FILE="/etc/deepflow-agent.yaml" +\$SUDO mkdir -p \$(dirname \$CONFIG_FILE) +cat </dev/null +controller-ips: + - $CONTROLLER_IP +vtap-group-id-request: "$VTAP_GROUP_ID" +CFG +\$SUDO chmod 644 "\$CONFIG_FILE" +\$SUDO chown root:root "\$CONFIG_FILE" +EOF +} + +verify_agent() { + local ip="$1" user="$2" pass="$3" + echo "🔍 $ip 状态检查:" + sshpass -p "$pass" ssh $SSH_OPTS "$user@$ip" " + systemctl is-active $SERVICE_NAME 2>/dev/null || \ + service $SERVICE_NAME status || \ + initctl status $SERVICE_NAME + " +} + +#################################### +# 并发控制主逻辑 +#################################### + +sem(){ + while [[ $(jobs -r | wc -l) -ge $MAX_PARALLEL ]]; do + sleep 0.5 + done +} + +while read -r ip user pass; do + if [[ -n "$LIMIT" ]]; then + IFS=',' read -ra LIMIT_IPS <<< "$LIMIT" + skip=true + for lim_ip in "${LIMIT_IPS[@]}"; do + [[ "$ip" == "$lim_ip" ]] && skip=false + done + $skip && continue + fi + + sem + worker "$ip" "$user" "$pass" & +done < "$IP_LIST" + +wait + +TOTAL_SUCCESS=$(wc -l < "$SUCCESS_FILE") +TOTAL_FAIL=$(wc -l < "$FAILED_FILE") + +echo "🎯 全部任务执行完成: 成功 $TOTAL_SUCCESS 台,失败 $TOTAL_FAIL 台" +if [[ -s "$FAILED_FILE" ]]; then + echo "❗ 失败主机列表已保存: $FAILED_FILE" +fi diff --git a/scripts/iptables_whitelist_enforce_final_fixed.sh b/scripts/iptables_whitelist_enforce_final_fixed.sh new file mode 100644 index 0000000..c2bce8c --- /dev/null +++ b/scripts/iptables_whitelist_enforce_final_fixed.sh @@ -0,0 +1,120 @@ +#!/bin/bash +# 只使用 iptables 管理白名单控制脚本 + +# 初始化配置 +ALLOW_ALL_IPS=( + 127.0.0.1 + 188.104.180.76 188.104.188.100 188.104.208.200 + 188.104.198.244 188.104.138.144 188.105.244.69 + 188.104.229.244 188.104.219.244 188.104.158.196 + 188.104.174.47 188.104.150.147 + 188.104.180.88 188.104.180.89 188.104.151.7 188.104.151.8 + 188.105.215.5 188.105.215.6 188.104.220.8 188.104.220.9 + 188.104.159.5 188.104.159.6 188.104.190.16 188.104.190.17 + 188.104.230.5 188.104.230.6 188.104.173.5 188.104.173.6 + 188.104.199.144 188.104.199.145 188.104.209.49 188.104.209.52 + 188.104.140.5 188.104.140.6 + 10.212.222.22 10.212.222.34 + 188.104.77.15 188.104.77.19 + 10.76.142.186 10.76.142.187 + 10.76.149.128 +) +ALLOW_CIDRS=( + 10.76.144.0/25 + 188.104.29.0/24 +) + +ACTION="$1" + +if [[ -z "$ACTION" ]]; then + echo "用法: $0 {add|delete|show}" + exit 1 +fi + +echo ">>> 模式: $ACTION" +echo ">>> 所有非白名单来源将被拒绝" +echo "" + +is_ipv6() { + [[ "$1" == *:* ]] +} + +run_cmd() { + local cmd="$1" + echo "[RUN] $cmd" + eval "$cmd" +} + +# 生成 iptables 规则 +generate_iptables_rules() { + + # 放行 ICMP 和 ICMPv6 规则(优先级最高) + echo "iptables -I INPUT -p icmp -j ACCEPT" + echo "ip6tables -I INPUT -p ipv6-icmp -j ACCEPT" + + # 生成允许的 IP 规则 + for ip in "${ALLOW_ALL_IPS[@]}"; do + echo "iptables -I INPUT -s $ip -j ACCEPT" + done + + # 生成允许的 CIDR 规则 + for cidr in "${ALLOW_CIDRS[@]}"; do + echo "iptables -I INPUT -s $cidr -j ACCEPT" + done + + # 默认 DROP 规则 + echo "iptables -A INPUT -j DROP" +} + +# 删除指定 iptables 规则 +delete_iptables_rules() { + + # 删除放行 ICMP 和 ICMPv6 规则(优先级最高) + echo "iptables -D INPUT -p icmp -j ACCEPT" + echo "ip6tables -D INPUT -p ipv6-icmp -j ACCEPT" + + # 删除允许的 IP 规则 + for ip in "${ALLOW_ALL_IPS[@]}"; do + echo "iptables -D INPUT -s $ip -j ACCEPT" + done + + # 删除允许的 CIDR 规则 + for cidr in "${ALLOW_CIDRS[@]}"; do + echo "iptables -D INPUT -s $cidr -j ACCEPT" + done + + # 删除默认 DROP 规则 + echo "iptables -D INPUT -j DROP" +} + +# 查看当前规则 +show_iptables_rules() { + echo "============= iptables -S =============" + iptables -S INPUT | sed 's/^-A /iptables -C /' + echo "============= ip6tables -S =============" + ip6tables -S INPUT | sed 's/^-A /ip6tables -C /' +} + +# 执行操作 +case "$ACTION" in + add) + generate_iptables_rules > iptables_rules.sh + echo "[INFO] 规则已生成并保存为 iptables_rules.sh 文件" + bash iptables_rules.sh + ;; + delete) + delete_iptables_rules > delete_iptables_rules.sh + echo "[INFO] 删除规则已保存为 delete_iptables_rules.sh 文件" + bash delete_iptables_rules.sh + ;; + show) + show_iptables_rules + ;; + *) + echo "无效的操作: $ACTION" + exit 1 + ;; +esac + +echo ">>> 操作完成。" +