NGC | Catalog
Welcome Guest
CatalogContainersDOCA Flow Inspector

DOCA Flow Inspector

For copy image paths and more information, please view on a desktop device.
Logo for DOCA Flow Inspector

Description

The DOCA Flow Inspector service allows monitoring real-time data and the extraction of telemetry components which can be utilized by various services for security, big data and many more telemetry-based services.

Publisher

NVIDIA

Latest Tag

1.3.0

Modified

September 6, 2022

Compressed Size

56.28 MB

Multinode Support

No

Multi-Arch Support

No

1.3.0 (Latest) Scan Results

Linux / arm64

Introduction

The DOCA Flow Inspector runs inside of its own Kubernetes pod on BlueField and is intended to receive mirrored packets for analysis. The packets received are parsed and sent in a predefined struct to a telemetry collector which manages the rest of the telemetry aspects.

The Flow Inspector runs on top of Data Plan Development Kit to acquire L4. The packets are then filtered based on the ports configured in the JSON input file. The non-filtered are parsed to a predefined struct and forwarded to the telemetry collector using IPC.

Installation and Getting Started

All preparation steps are listed under DOCA's Container Deployment User Guide.

Note: The DOCA Service container is configured for K8S-based deployment, hence the use of the docker pull command is discouraged.

Preparation steps for the DOCA Service

Allocate hugepages

echo 2048 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
mkdir /mnt/huge
mount -t hugetlbfs nodev /mnt/huge

Adjusting the .yaml configuration

The .yaml configuration for our container is doca_flow_inspector.yaml:

wget --content-disposition https://api.ngc.nvidia.com/v2/resources/nvidia/doca/doca_container_configs/versions/1.3.0/files/configs/1.3.0/doca_flow_inspector.yaml

Note: The file is also stored with the rest of the .yaml configurations as were pulled from NGC in the previous steps (See "Installation and Getting Started").

The .yaml file can be easily edited according to ones needs.

    env:
      # Set according to the local setup
      - name: SF_NUM_1
        value: "2"
      # Additional EAL flags, if needed
      - name: EAL_FLAGS
        value: ""
      # Service-Specific command line arguments
      - name: SERVICE_ARGS
        value: "--policy /flow_inspector/flow_inspector_cfg.json -l 4"
  1. The SF_NUM_1 value can be changed according the scalable function used in the OVS configuration and can be found using command in the SF guide linked above.
  2. The EAL_FLAGS value should be changed according to the DPDK flags required when running the container.
  3. The SERVICE_ARGS are the runtime arguments received by the services which are as follows;
-l, --log-level <value> ; Sets the log level from 0 to 4
-p, --policy <json_path> ; Sets the JSON path inside the container 

Spawning the container

Simply copy the updated doca_flow_inspector.yaml file to the /etc/kubelet.d directory. Kubelet will automatically pull the container image from NGC, and spawn a pod executing the container. The DOCA Flow Inspector Service will start running immediately.

# View currently active pods, and their IDs (it might take up to 20 seconds for the pod to start)
crictl pods

# View currently active containers, and their IDs
crictl ps

# Examine logs of a given container
crictl logs 

# Examine kubelet logs, in case something didn't work as expected
journalctl -u kubelet

Please refer to the documentation for more information.

Documentation

The DOCA Flow Inspector Service guide is available here.

License & EULA

DOCA is licensed under the NVIDIA DOCA License. By pulling and using the container, you accept the terms and conditions of this license.

Technical Support

Use the NVIDIA Developers forum for questions regarding this Software.