MITIGATOR Installation
All files are supposed to be placed in the /srv/mitigator
working directory:
mkdir -p /srv/mitigator
cd /srv/mitigator
1. Docker Compose
-
Place base Docker Compose configuration in the working directory:
wget https://docs.mitigator.ru/v23.12/dist/docker-compose.yml
For Mellanox (NVIDIA) network cards you need to use other base configuration:
wget https://docs.mitigator.ru/v23.12/dist/docker-compose.hostmode.yml -O docker-compose.yml
-
Download base variable file and save it as
.env
:wget https://docs.mitigator.ru/v23.12/dist/env -O /srv/mitigator/.env
-
In the
.env
file, specify:- System version (
VERSION
). - The microarchitecture of the processor from the list specified in the (
ARCH
) example file. - The maximum number of IPv4 protection policies (
DATA_PLANE_NR_POLICIES
). - The maximum number of IPv6 protection policies (
DATA_PLANE_NR_POLICIES_IPV6
). - Instance name in the cluster (
MITIGATOR_OWN_NAME
, required). - External address of MITIGATOR (
MITIGATOR_HOST_ADDRESS
, required). - Proxy for the license server (ls.mitigator.ru), mail notifications and the Vestochka service.
- Time zone (
TZ
). - Token for interaction between the backend and the watchhog (
TOKEN
). The.env
file is set toTOKEN
by default. It is required to change it.
- System version (
These settings are described in detail inside the example file.
2. Packet processor
Processor architecture
For maximum performance of MITIGATOR, you need to use a build that is optimized for the architecture and instruction set of the target machine’s CPU.
The .env
file must contain a line like this:
ARCH=haswell
Available options:
nehalem
- CPUs with SSE4.2 support,haswell
- modern CPUs with AVX2 support.
You can find your CPU in the Intel catalog, the microarchitecture is indicated in the line Code Name.
Processing parameters
Packet processing is configured automatically by default.
Create and edit dataplane.conf
file to override these settings.
File format reference.
Port selection
Ports in an application are called ext0
, int0
, ext1
, int1
, and so on. ext
- ports of the external network,
int
- ports of the internal (protected) network. Combined into ext-int pairs by index in the name.
ext-int port pairs are used to route traffic in an «inline» connection scheme.
In the «on-a-stick» scheme, ext-int pairs are not used and can be anything.
If no ports are specified in the settings, all ports on the system available to DPDK are used. In this case, the ports are listed according to the ascending order of their PCI addresses. ext-int port pairs are formed only for ports from a shared NUMA node.
If the default port listing order does not match the physical connection of the links, or if you want to limit the list of ports used, you can explicitly configure the ports:
ext0: 04:00.1
int0: 04:00.0
ext1: 84:00.1
int1: 84:00.0
3. Binding drivers to network ports
Before starting MITIGATOR, the network ports assigned to it must be controlled by the driver chosen during system preparation.
For systems running systemd, bind before starting the MITIGATOR service (see next section).
-
Download the binding script and make it executable:
wget https://docs.mitigator.ru/v23.12/dist/dpdk-devbind -O /usr/local/bin/dpdk-devbind chmod +x /usr/local/bin/dpdk-devbind
-
Create
/etc/systemd/system/mitigator.service.d
directory:mkdir -p /etc/systemd/system/mitigator.service.d
In it, place a
nics.conf
file of the following form:[Service] ExecStartPre=/usr/local/bin/dpdk-devbind -b vfio-pci 04:00.0 04:00.1 84:00.0 84:00.1
Change the driver and PCI addresses to the required ones.
4. Downloading images and launching
MITIGATOR is started with the docker-compose up -d
command.
For systems running systemd, you need to configure a ready service:
-
Place Mitigator service file:
wget https://docs.mitigator.ru/v23.12/dist/mitigator.service \ -O /etc/systemd/system/mitigator.service
-
Configure MITIGATOR autorun:
systemctl enable mitigator
-
When you first start or update, you need to log in to the image store with your credentials::
docker login docker.mitigator.ru
-
Launch MITIGATOR:
systemctl start mitigator
It will take some time for the images to load on the first run. The process can be observed in the output of
docker-compose logs -f
or, for systemd:journalctl -u mitigator -f
After some time, the MITIGATOR web-interface will be available at the address of the control interface.
After installation and launch, configure the system for stable and secure operation.