NGC | Catalog
Welcome Guest
CatalogContainersDOCA Application Recognition

DOCA Application Recognition

For pull tags and more information, please view on a desktop device.
Logo for DOCA Application Recognition

Description

DOCA Application Recognition (AR) application allows identifying applications that are in use on a monitored networking node, by leveraging the hardware acceleration of the NVIDIA DPUs.

Publisher

NVIDIA

Latest Tag

1.3.0

Modified

July 1, 2022

Compressed Size

56.25 MB

Multinode Support

No

Multi-Arch Support

No

1.3.0 (Latest) Scan Results

Linux / arm64

What is DOCA?

Data Center Infrastructure-on-a-Chip Architecture

The NVIDIA® DOCA™ SDK (software development kit) enables developers to rapidly create applications and services on top of NVIDIA BlueField® data processing units (DPUs), leveraging industry-standard APIs.

DOCA Application Recognition

The Application Recognition (AR) DOCA App runs on top of Data Plan Development Kit (DPDK) based Stateful Flow Tracking (SFT) to identify the flow that each packet belongs to, then uses DPI to process L7 classification.

Application Architecture

  1. Signatures are compiled by DPI compiler and then loaded to DPI engine.
  2. Ingress traffic is identified using the stateful table module in the DPDK libs which utilizes the connection tracking hardware offloads. This allows flow classifications to be done in the hardware level and be forwarded to the hairpin queue without being processed by the software, which increases performance dramatically.
  3. Traffic is scanned against DPI engine compiled signature DB.
  4. Post processing is performed for match decision.
  5. Matched flows are identified, and actions can be offloaded to the hardware to increase performance as no further inspection is needed.
  6. Flow termination is done by the aging timer set in the SFT to 60 seconds. When a flow is offloaded it cannot be tracked and destroyed.

Installation and Getting Started

All preparation steps are listed under DOCA's Container Deployment User Guide.

Note: The DOCA Application container is configured for K8S-based deployment, hence the use of the docker pull command is discouraged.

Preparation steps for the DOCA Application

As explained in the application's documentation there are some resource allocation steps needed before the application can be executed:

# Allocate huge-pages, required by DPDK
echo 2048 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages

# Make sure the regex engine is active
systemctl status mlx-regex
# If the status is inactive (“Active: failed”), run
systemctl start mlx-regex

The application is meant to be used with Scalable Functions (SFs), hence they should be configured accordingly. An example illustration is shown in the application's system design section.

Once all SFs and OVS bridges are configured, we can continue on to the next step, in which we will notify the container about them.

Adjusting the .yaml configuration

The .yaml configuration for our container is doca_application_recognition.yaml:

wget --content-disposition https://api.ngc.nvidia.com/v2/resources/nvidia/doca/doca_container_configs/versions/1.3.0/files/configs/1.3.0/doca_application_recognition.yaml

Note: The file is also stored with the rest of the .yaml configurations as were pulled from NGC in the previous steps (See "Installation and Getting Started").

We are going to focus on the deployment-specific fields:

  • SF_NUM_1, SF_NUM_2 - Identifiers of used SFs. For example, "4" means we will tell the application to use "mlx5_core.sf.4"
  • EAL_FLAGS - Additional EAL flags to be passed to DPDK (only if needed)
  • APP_ARGS - Application command line arguments (path to signature file, etc.)

Note: The container currently shares a shared directory with the DPU:

  • DPU's view - /tmp/doca_application_recognition
  • Container's view - /doca_application_recognition

Please make sure to create this directory (or modify the .yaml to use a path of your liking):

mkdir /tmp/doca_application_recognition

Important: Once created, make sure to copy your signature file to this folder, so that the application inside the container will be able to access it.

Spawning the container

Simply copy the updated doca_application_recognition.yaml file to the /etc/kubelet.d directory. Kubelet will automatically pull the container image from NGC, and spawn a pod executing the container. The DOCA Application Recognition application will start executing right away, and its printouts could be seen via the container's logs:

# View currently active pods, and their IDs (it might take up to 20 seconds for the pod to start)
crictl pods

# View currently active containers, and their IDs
crictl ps

# Examine logs of a given container
crictl logs 

# Examine kubelet logs, in case something didn't work as expected
journalctl -u kubelet

Please refer to the documentation for more information.

Documentation

The DOCA Application Recognition developer guide is available here.

License & EULA

DOCA is licensed under the NVIDIA DOCA License. By pulling and using the container, you accept the terms and conditions of this license.

Technical Support

Use the NVIDIA Developers forum for questions regarding this Software.