caida/ark

By caida

Updated 2 months ago

A simple ARK measurement node

Image
Networking
0

6.8K

caida/ark repository overview

A container based client for the Archipelago active measurement project. This container will run the team-probing, topo-v6, and fireball activities.

Running

At this early testing stage each instance needs some manual configuration by CAIDA staff. If you know the public IP address that the container will use then we can add that to our metadata server and your container will automatically fetch all of its configuration when it starts up. Otherwise we can generate an authentication token for you to provide as an environment variable when running the container.

A persistent volume is useful to store the ark configuration and the certificates. Without that, new certificates will need to be signed and fetched every time the container is started, and you must always use the same IP address (if specified) or an authentication token.

An easy way to run and manage the ark docker container is to wrap it in a systemd service. You can place a service file that looks something like this in /etc/systemd/system/ark.service:

[Unit]
Description=CAIDA Ark Docker Container
After=network-online.target docker.service
Requires=docker.service

[Service]
User=root
Restart=always
# If needed, provide the ARK_AUTH_TOKEN variable directly or in a file
#EnvironmentFile=/etc/ark/env
#Environment="ARK_AUTH_TOKEN=XXX"
ExecStartPre=-/usr/bin/docker stop ark
ExecStartPre=-/usr/bin/docker rm ark
ExecStartPre=/usr/bin/docker pull caida/ark:latest
ExecStart=/usr/bin/docker run                    \
            --name ark                           \
            --env ARK_AUTH_TOKEN=$ARK_AUTH_TOKEN \
            --volume ark-volume:/etc/ark/        \
            caida/ark:latest
ExecStop=/usr/bin/docker stop ark

[Install]
WantedBy=multi-user.target

then reload systemd, enable the service, and start it:

sudo systemctl daemon-reload
sudo systemctl enable --now ark.service

Environment Variables

Either the IP address must be entered into the configuration system or the ARK_AUTH_TOKEN must be set, otherwise the container will not run. Other variables can optionally be set to control specific behavior. Depending on your environment you may want to put it in an env file, or protect it using a docker or kubernetes secret rather than specifying it directly in the systemd service file.

VariableDescription
ARK_AUTH_TOKENStatic token used to query the configuration server
ARK_PROMETHEUS_EXPORTERSet to enable the prometheus metrics exporter on port 8000
DISABLE_ARK_ACTIVITY_FIREBALLSet to prevent the fireball activity from running
DISABLE_ARK_ACTIVITY_ITDKSet to prevent the ITDK activity from running
DISABLE_ARK_ACTIVITY_TEAMSet to prevent the team-probing activity from running
DISABLE_ARK_ACTIVITY_V6Set to prevent the topo-v6 activity from running

Updating

To make sure that your container receives security, performance, and capability updates we would appreciate you enabling some sort of automated update system and running images using the latest or 1 tags.

If running in a larger deployment then you probably already have kubernetes infrastructure to keep containers up to date, and should use that.

If you are running the ark container as a systemd service and have configured it like the example to pull the latest image before starting (e.g. ExecStartPre=/usr/bin/docker pull caida/ark:latest) then that should be sufficient.

Alternatively, you might want to try something like watchtower.

Tag summary

Content type

Image

Digest

sha256:1061640f1

Size

131.2 MB

Last updated

2 months ago

docker pull caida/ark:1