A container based client for the Archipelago active measurement project. This container will run the team-probing, topo-v6, and fireball activities.
At this early testing stage each instance needs some manual configuration by CAIDA staff. If you know the public IP address that the container will use then we can add that to our metadata server and your container will automatically fetch all of its configuration when it starts up. Otherwise we can generate an authentication token for you to provide as an environment variable when running the container.
A persistent volume is useful to store the ark configuration and the certificates. Without that, new certificates will need to be signed and fetched every time the container is started, and you must always use the same IP address (if specified) or an authentication token.
An easy way to run and manage the ark docker container is to wrap it in a
systemd service. You can place a service file that looks something like
this in /etc/systemd/system/ark.service:
[Unit]
Description=CAIDA Ark Docker Container
After=network-online.target docker.service
Requires=docker.service
[Service]
User=root
Restart=always
# If needed, provide the ARK_AUTH_TOKEN variable directly or in a file
#EnvironmentFile=/etc/ark/env
#Environment="ARK_AUTH_TOKEN=XXX"
ExecStartPre=-/usr/bin/docker stop ark
ExecStartPre=-/usr/bin/docker rm ark
ExecStartPre=/usr/bin/docker pull caida/ark:latest
ExecStart=/usr/bin/docker run \
--name ark \
--env ARK_AUTH_TOKEN=$ARK_AUTH_TOKEN \
--volume ark-volume:/etc/ark/ \
caida/ark:latest
ExecStop=/usr/bin/docker stop ark
[Install]
WantedBy=multi-user.target
then reload systemd, enable the service, and start it:
sudo systemctl daemon-reload
sudo systemctl enable --now ark.service
Either the IP address must be entered into the configuration system or the ARK_AUTH_TOKEN must be set, otherwise the container will not run. Other variables can optionally be set to control specific behavior. Depending on your environment you may want to put it in an env file, or protect it using a docker or kubernetes secret rather than specifying it directly in the systemd service file.
| Variable | Description |
|---|---|
| ARK_AUTH_TOKEN | Static token used to query the configuration server |
| ARK_PROMETHEUS_EXPORTER | Set to enable the prometheus metrics exporter on port 8000 |
| DISABLE_ARK_ACTIVITY_FIREBALL | Set to prevent the fireball activity from running |
| DISABLE_ARK_ACTIVITY_ITDK | Set to prevent the ITDK activity from running |
| DISABLE_ARK_ACTIVITY_TEAM | Set to prevent the team-probing activity from running |
| DISABLE_ARK_ACTIVITY_V6 | Set to prevent the topo-v6 activity from running |
To make sure that your container receives security, performance, and capability
updates we would appreciate you enabling some sort of automated update system and running images using the latest or 1 tags.
If running in a larger deployment then you probably already have kubernetes infrastructure to keep containers up to date, and should use that.
If you are running the ark container as a systemd service and have configured
it like the example to pull the latest image before starting
(e.g. ExecStartPre=/usr/bin/docker pull caida/ark:latest) then that should
be sufficient.
Alternatively, you might want to try something like watchtower.
Content type
Image
Digest
sha256:1061640f1…
Size
131.2 MB
Last updated
2 months ago
docker pull caida/ark:1