All files are supposed to be placed in the
/srv/mitigator working directory:
mkdir -p /srv/mitigator cd /srv/mitigator
Place base Docker Compose configuration in the working directory:
For Mellanox network cards you need to use other base configuration:
wget https://docs.mitigator.ru/v22.06/dist/docker-compose.hostmode.yml -O docker-compose.yml
Download base variable file and save it as
wget https://docs.mitigator.ru/v22.06/dist/env -O /srv/mitigator/.env
.env file, specify:
ARCH) example file.
.envfile is set to
TOKENby default. It is required to change it.
These settings are described in detail inside the example file.
For maximum performance of MITIGATOR, you need to use a build that is optimized for the architecture and instruction set of the target machine’s CPU.
.env file must contain a line like this:
nehalem- CPUs with SSE4.2 support,
haswell- modern CPUs with AVX2 support.
You can find your CPU in the Intel catalog, the microarchitecture is indicated in the line Code Name.
You need to create a
data-plane.conf file that describes the launch options for the
The configuration file is empty by default. You only need to edit it if you need to specify settings other than those automatically selected. Settings description.
Ports in an application are called
int1, and so on.
ext - ports of the external network,
int - ports of the internal (protected) network. Combined into ext-int pairs by index in the name.
ext-int port pairs are used to route traffic in an «inline» connection scheme.
In the «on-a-stick» scheme, ext-int pairs are not used and can be anything.
If no ports are specified in the settings, all ports on the system available to DPDK are used. In this case, the ports are listed according to the ascending order of their PCI addresses. ext-int port pairs are formed only for ports from a shared NUMA node.
If the default port listing order does not match the physical connection of the links, or if you want to limit the list of ports used, you can explicitly configure the ports:
ext0: 04:00.1 int0: 04:00.0 ext1: 84:00.1 int1: 84:00.0
Before starting MITIGATOR, the network ports assigned to it must be controlled by the driver chosen during system preparation.
For systems running systemd, bind before starting the MITIGATOR service (see next section).
Download the binding script and make it executable:
wget https://docs.mitigator.ru/v22.06/dist/dpdk-devbind -O /usr/local/bin/dpdk-devbind chmod +x /usr/local/bin/dpdk-devbind
mkdir -p /etc/systemd/system/mitigator.service.d
In it, place a
nics.conf file of the following form:
[Service] ExecStartPre=/usr/local/bin/dpdk-devbind -b vfio-pci 04:00.0 04:00.1 84:00.0 84:00.1
Change the driver and PCI addresses to the required ones.
MITIGATOR is started with the
docker-compose up -d command.
For systems running systemd, you need to configure a ready service:
Place Mitigator service file:
wget https://docs.mitigator.ru/v22.06/dist/mitigator.service \ -O /etc/systemd/system/mitigator.service
Configure MITIGATOR autorun:
systemctl enable mitigator
When you first start or update, you need to log in to the image store with your credentials::
docker login docker.mitigator.ru
systemctl start mitigator
It will take some time for the images to load on the first run.
The process can be observed in the output of
docker-compose logs -f
or, for systemd:
journalctl -u mitigator -f
After some time, the MITIGATOR web-interface will be available at the address of the control interface.
After installation and launch, configure the system for stable and secure operation.