Linux / arm64
The DOCA Flow Inspector runs inside of its own Kubernetes pod on BlueField and is intended to receive mirrored packets for analysis. The packets received are parsed and sent in a predefined struct to a telemetry collector which manages the rest of the telemetry aspects.
The Flow Inspector runs on top of Data Plan Development Kit to acquire L4. The packets are then filtered based on the ports configured in the JSON input file. The non-filtered are parsed to a predefined struct and forwarded to the telemetry collector using IPC.
All preparation steps are listed under DOCA's Container Deployment User Guide.
Note: The DOCA Service container is configured for K8S-based deployment, hence the use of the
docker pull command is discouraged.
echo 2048 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages mkdir /mnt/huge mount -t hugetlbfs nodev /mnt/huge
The .yaml configuration for our container is doca_flow_inspector.yaml:
wget --content-disposition https://api.ngc.nvidia.com/v2/resources/nvidia/doca/doca_container_configs/versions/2.0.2v1/files/configs/2.0.2/doca_flow_inspector.yaml
Note: The file is also stored with the rest of the .yaml configurations as were pulled from NGC in the previous steps (See "Installation and Getting Started").
The .yaml file can be easily edited according to ones needs.
env: # Set according to the local setup - name: SF_NUM_1 value: "2" # Additional EAL flags, if needed - name: EAL_FLAGS value: "" # Service-Specific command line arguments - name: SERVICE_ARGS value: "--policy /flow_inspector/flow_inspector_cfg.json -l 60"
-l, --log-level <value> ; Set the log level for the program <CRITICAL=20, ERROR=30, WARNING=40, INFO=50, DEBUG=60> -p, --policy <json_path> ; Sets the JSON path inside the container -t, --time <seconds> ; Time period to check for changes in JSON config file (in seconds)
Simply copy the updated
doca_flow_inspector.yaml file to the
/etc/kubelet.d directory. Kubelet will automatically pull the container image from NGC, and spawn a pod executing the container. The DOCA Flow Inspector Service will start running immediately.
# View currently active pods, and their IDs (it might take up to 20 seconds for the pod to start) crictl pods # View currently active containers, and their IDs crictl ps # Examine logs of a given container crictl logs # Examine kubelet logs, in case something didn't work as expected journalctl -u kubelet
Please refer to the documentation for more information.
The DOCA Flow Inspector Service guide is available here.
DOCA is licensed under the NVIDIA DOCA License. By pulling and using the container, you accept the terms and conditions of this license.
Use the NVIDIA Developers forum for questions regarding this Software.