All files are supposed to be placed in the /srv/mitigator working directory:
mkdir -p /srv/mitigator
cd /srv/mitigator
Place base Docker Compose configuration in the working directory:
wget https://docs.mitigator.ru/v22.08/dist/docker-compose.yml
For Mellanox network cards you need to use other base configuration:
wget https://docs.mitigator.ru/v22.08/dist/docker-compose.hostmode.yml -O docker-compose.yml
Download base variable file and save it as .env:
wget https://docs.mitigator.ru/v22.08/dist/env -O /srv/mitigator/.env
In the .env file, specify:
VERSION).ARCH) example file.DATA_PLANE_NR_POLICIES).DATA_PLANE_NR_POLICIES_IPV6).MITIGATOR_OWN_NAME, required).MITIGATOR_HOST_ADDRESS, required).TZ).TOKEN).
The .env file is set to TOKEN by default. It is required to change it.These settings are described in detail inside the example file.
For maximum performance of MITIGATOR, you need to use a build that is optimized for the architecture and instruction set of the target machine’s CPU.
The .env file must contain a line like this:
ARCH=haswell
Available options:
nehalem - CPUs with SSE4.2 support,haswell - modern CPUs with AVX2 support.You can find your CPU in the Intel catalog, the microarchitecture is indicated in the line Code Name.
You need to create a data-plane.conf file that describes the launch options for the
packet processor:
touch data-plane.conf
The configuration file is empty by default. You only need to edit it if you need to specify settings other than those automatically selected. Settings description.
Ports in an application are called ext0, int0, ext1, int1, and so on. ext - ports of the external network,
int - ports of the internal (protected) network. Combined into ext-int pairs by index in the name.
ext-int port pairs are used to route traffic in an «inline» connection scheme.
In the «on-a-stick» scheme, ext-int pairs are not used and can be anything.
If no ports are specified in the settings, all ports on the system available to DPDK are used. In this case, the ports are listed according to the ascending order of their PCI addresses. ext-int port pairs are formed only for ports from a shared NUMA node.
If the default port listing order does not match the physical connection of the links, or if you want to limit the list of ports used, you can explicitly configure the ports:
ext0: 04:00.1
int0: 04:00.0
ext1: 84:00.1
int1: 84:00.0
Before starting MITIGATOR, the network ports assigned to it must be controlled by the driver chosen during system preparation.
For systems running systemd, bind before starting the MITIGATOR service (see next section).
Download the binding script and make it executable:
wget https://docs.mitigator.ru/v22.08/dist/dpdk-devbind -O /usr/local/bin/dpdk-devbind
chmod +x /usr/local/bin/dpdk-devbind
Create /etc/systemd/system/mitigator.service.d directory:
mkdir -p /etc/systemd/system/mitigator.service.d
In it, place a nics.conf file of the following form:
[Service]
ExecStartPre=/usr/local/bin/dpdk-devbind -b vfio-pci 04:00.0 04:00.1 84:00.0 84:00.1
Change the driver and PCI addresses to the required ones.
MITIGATOR is started with the docker-compose up -d command.
For systems running systemd, you need to configure a ready service:
Place Mitigator service file:
wget https://docs.mitigator.ru/v22.08/dist/mitigator.service \
-O /etc/systemd/system/mitigator.service
Configure MITIGATOR autorun:
systemctl enable mitigator
When you first start or update, you need to log in to the image store with your credentials::
docker login docker.mitigator.ru
Launch MITIGATOR:
systemctl start mitigator
It will take some time for the images to load on the first run.
The process can be observed in the output of docker-compose logs -f
or, for systemd:
journalctl -u mitigator -f
After some time, the MITIGATOR web-interface will be available at the address of the control interface.
After installation and launch, configure the system for stable and secure operation.