MITIGATOR Installation

All files are supposed to be placed in the /srv/mitigator working directory:

mkdir -p /srv/mitigator
cd /srv/mitigator

1. Docker Compose

  1. Place base Docker Compose configuration in the working directory:

    wget https://docs.mitigator.ru/v24.04/dist/docker-compose.yml
  2. Download base variable file and save it as .env:

    wget https://docs.mitigator.ru/v24.04/dist/env -O /srv/mitigator/.env
  3. In the .env file, specify:

    • System version (VERSION).
    • The microarchitecture of the processor from the list specified in the (ARCH) example file.
    • The maximum number of IPv4 protection policies (DATA_PLANE_NR_POLICIES).
    • The maximum number of IPv6 protection policies (DATA_PLANE_NR_POLICIES_IPV6).
    • Instance name in the cluster (MITIGATOR_OWN_NAME, required).
    • External address of MITIGATOR (MITIGATOR_HOST_ADDRESS, required).
    • Proxy for the license server (ls.mitigator.ru), mail notifications and the Vestochka service.
    • Time zone (TZ).
    • Token for interaction between the backend and the watchhog (TOKEN). The .env file is set to TOKEN by default. It is required to change it.

These settings are described in detail inside the example file.

2. Packet processor

Processor architecture

For maximum performance of MITIGATOR, you need to use a build that is optimized for the architecture and instruction set of the target machine’s CPU.

The .env file must contain a line like this:

ARCH=haswell

Available options:

  • nehalem - CPUs with SSE4.2 support,
  • haswell - modern CPUs with AVX2 support.

You can find your CPU in the Intel catalog, the microarchitecture is indicated in the line Code Name.

Processing parameters

Packet processing is configured automatically by default. Create and edit dataplane.conf file to override these settings. File format reference.

Port selection

Ports in an application are called ext0, int0, ext1, int1, and so on. ext - ports of the external network, int - ports of the internal (protected) network. Combined into ext-int pairs by index in the name. ext-int port pairs are used to route traffic in an «inline» connection scheme. In the «on-a-stick» scheme, ext-int pairs are not used and can be anything.

If no ports are specified in the settings, all ports on the system available to DPDK are used. In this case, the ports are listed according to the ascending order of their PCI addresses. ext-int port pairs are formed only for ports from a shared NUMA node.

If the default port listing order does not match the physical connection of the links, or if you want to limit the list of ports used, you can explicitly configure the ports:

ext0: 04:00.1
int0: 04:00.0
ext1: 84:00.1
int1: 84:00.0

3. Binding drivers to network ports

Before starting MITIGATOR, the network ports assigned to it must be controlled by the driver chosen during system preparation.

For systems running systemd, bind before starting the MITIGATOR service (see next section).

  • Download the binding script and make it executable:

    wget https://docs.mitigator.ru/v24.04/dist/dpdk-devbind -O /usr/local/bin/dpdk-devbind
    chmod +x /usr/local/bin/dpdk-devbind
  • Create /etc/systemd/system/mitigator.service.d directory:

    mkdir -p /etc/systemd/system/mitigator.service.d

    In it, place a nics.conf file of the following form:

    [Service]
    ExecStartPre=/usr/local/bin/dpdk-devbind -b vfio-pci 04:00.0 04:00.1 84:00.0 84:00.1

    Change the driver and PCI addresses to the required ones.

4. Downloading images and launching

MITIGATOR is started with the docker-compose up -d command.

For systems running systemd, you need to configure a ready service:

  • Place Mitigator service file:

    wget https://docs.mitigator.ru/v24.04/dist/mitigator.service \
        -O /etc/systemd/system/mitigator.service
  • Configure MITIGATOR autorun:

    systemctl enable mitigator
  • When you first start or update, you need to log in to the image store with your credentials::

    docker login docker.mitigator.ru
  • Launch MITIGATOR:

    systemctl start mitigator

    It will take some time for the images to load on the first run. The process can be observed in the output of docker-compose logs -f or, for systemd:

    journalctl -u mitigator -f

    After some time, the MITIGATOR web-interface will be available at the address of the control interface.

After installation and launch, configure the system for stable and secure operation.