Containers
DOCA Flow Inspector

DOCA Flow Inspector

Logo for DOCA Flow Inspector
Description
The DOCA Flow Inspector service allows monitoring real-time data and the extraction of telemetry components which can be utilized by various services for security, big data and many more telemetry-based services.
Publisher
NVIDIA
Latest Tag
1.3.0-doca2.5.0
Modified
December 1, 2024
Compressed Size
89.18 MB
Multinode Support
No
Multi-Arch Support
No
1.3.0-doca2.5.0 (Latest) Security Scan Results

Linux / arm64

Sorry, your browser does not support inline SVG.

Introduction

The DOCA Flow Inspector runs inside of its own Kubernetes pod on BlueField and is intended to receive mirrored packets for analysis. The packets received are parsed and sent in a predefined struct to a telemetry collector which manages the rest of the telemetry aspects.

The Flow Inspector runs on top of Data Plan Development Kit to acquire L4. The packets are then filtered based on the ports configured in the JSON input file. The non-filtered are parsed to a predefined struct and forwarded to the telemetry collector using IPC.

Service Architecture

Installation and Getting Started

All preparation steps are listed under DOCA's Container Deployment User Guide.

Note: The DOCA Service container is configured for K8S-based deployment, hence the use of the docker pull command is discouraged.

Preparation steps for the DOCA Service

Allocate hugepages

echo 2048 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
mkdir /mnt/huge
mount -t hugetlbfs nodev /mnt/huge

Adjusting the .yaml configuration

The .yaml configuration for our container is doca_flow_inspector.yaml:

wget https://api.ngc.nvidia.com/v2/resources/nvidia/doca/doca_container_configs/versions/2.5.0v1/files/configs/2.5.0/doca_flow_inspector.yaml

Note: The file is also stored with the rest of the .yaml configurations as were pulled from NGC in the previous steps (See "Installation and Getting Started").

The .yaml file can be easily edited according to ones needs.

    env:
      # Set according to the local setup
      - name: SF_NUM_1
        value: "2"
      # Additional EAL flags, if needed
      - name: EAL_FLAGS
        value: ""
      # Service-Specific command line arguments
      - name: SERVICE_ARGS
        value: "--policy /flow_inspector/flow_inspector_cfg.json -l 60"
  1. The SF_NUM_1 value can be changed according to the scalable function used in the OVS configuration and can be found using command in the SF guide linked above.
  2. The EAL_FLAGS value should be changed according to the DPDK flags required when running the container.
  3. The SERVICE_ARGS are the runtime arguments received by the services which are as follows;
-l, --log-level <value> ;  Sets the (numeric) log level for the program <10=DISABLE, 20=CRITICAL, 30=ERROR, 40=WARNING, 50=INFO, 60=DEBUG, 70=TRACE>
-p, --policy <json_path> ; Sets the JSON path inside the container

Spawning the container

Simply copy the updated doca_flow_inspector.yaml file to the /etc/kubelet.d directory. Kubelet will automatically pull the container image from NGC, and spawn a pod executing the container. The DOCA Flow Inspector Service will start running immediately. 

# View currently active pods, and their IDs (it might take up to 20 seconds for the pod to start)
crictl pods

# View currently active containers, and their IDs
crictl ps

# Examine logs of a given container
crictl logs 

# Examine kubelet logs, in case something didn't work as expected
journalctl -u kubelet

Please refer to the documentation for more information.

Documentation

The DOCA Flow Inspector Service guide is available here.

License & EULA

DOCA is licensed under the NVIDIA DOCA License. By pulling and using the container, you accept the terms and conditions of this license.

Technical Support

Use the NVIDIA Developers forum for questions regarding this Software.