Virtual Deployments
At threatER, we pride ourselves on providing our customers with a cost-effective means to make threat intelligence truly actionable, by blocking malicious traffic in real-time with no measurable impact on network performance. The majority of our customers deploy our threatER Enforce software on dedicated on-premise hardware, but for customers who are interested in protecting their virtual infrastructure, we also support virtual deployments using KVM. (And yes, we also support native protection for AWS, Azure, and GCP workloads, too.).
Prerequisites
- KVM enabled x86_64 host (Ubuntu 22.04 preferred for best performance)
- Two cores and 4GB RAM available (minimum) must be provided to the Enforcer guest VM.
- A VNC client or virt-manager is recommended for guest guest console access.
- Three Ethernet ports: One dedicated to threatER Enforce administration and 2 for the bridging pair. The following device types are supported for KVM use:
- e1000, i40, igc, & ixgbe
- At least 32G of host disk is available for installation.
- The following deployment example leverages PCI bypass capabilities to expose host bridging pair hardware to the threatER Enforce guest for low-latency bridging. In order to use this feature the host kernel arguments must include intel_iommu=on.
Software Installation
Once you have prepared your virtual appliance, please see our documentation on installing threatER Enforce using an ISO. Once you have downloaded the ISO threatER Enforce installation media, copy it to the KVM host to be used. If you are unsure how to obtain a copy, contact our Customer Success team.
Use virt-install and deploy a new image with cdrom referencing the Enforcer ISO image (you may need to obtain the virtinst package if not already installed):
Note: Adjust parameters in Bold to match your configuration.
virt-install --connect qemu:///system \
--virt-type kvm \
--name enforce \
--noautoconsole \
--ram 4096 \
--vcpus=2 \
--os-variant ubuntu22.04 \
--disk path=/var/lib/libvirt/images/threater/enforce.qcow2,format=qcow2,size=30 \
--cdrom /var/lib/libvirt/images/enforce_xvz_amd64.iso \
--network type=direct,mac=52:54:00:73:96:6c,source=eno3 \
--host-device=pci_0000_65_00_0 \
--host-device=pci_0000_65_00_1 \
--cpu host,+invtsc
Open a console on Virt Manager UI (or use “virsh console enforce”) and the following should be presented:
Use the <tab> key to select the interface to used for admin and configure an IP address:
Keep the defaults and select [ Done ]
Again, Keep the defaults and select [Done]
Select [ Continue ] to start the installation.
Upon completion, the screen above will be presented. Select Reboot now. (On some systems it may be necessary to manually power-off the VM.)
Next the threatER Enforce software will be installed upon login. Login as ubuntu with default password enforce and re-enter the default enforce password when prompted. This will automatically finish up the installation for you.
When the installation is complete, power down the VM. When the VM is restarted, the usual threatER Enforce onboarding (such as initial licensing and provisioning) can be completed. Consult our Customer Success team (see https://support.threater.com) if you need assistance with onboarding. The VM image can now be started without the cdrom ISO attached to the VM if desired.
Performance considerations:
In order to obtain the best performance possible (max throughput and minimum latency) it is recommended that several host/kvm parameters be configured. In the following steps we isolate host cores 1 & 2 via the Linux isolcpus boot parameter then pin the Enforcer guest VM to these isolated cores. This ensures that the threatER Enforce software will not be moved from host CPUS 1 & 2 nor be interrupted.
1. CPU isolation:
On Linux hosts, CPUs can be isolated from the scheduler via the isolcpus= parameter:
This is done by:
- Editing /etc/default/grub and adding “isolcpus=1,2” to the GRUB_CMDLINE_LINUX_DEFAULT entry
- Then running update-grub
- Rebooting the host
2. Pinning Enforcer guest cores.
Now that host cores 1 & 2 are isolated we want to configure KVM such that the Enforcer guest is pinned to those cores:
This can be done by:
- Running “virsh edit enforce”
- Adding the following at the top level XML:
<cputune>
<vcpupin vcpu="0" cpuset="1"/>
<vcpupin vcpu="1" cpuset="2"/>
</cputune>
Comments
0 comments
Please sign in to leave a comment.