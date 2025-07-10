This guide provides the minimal instructions for setting up DOCA on a standard system.

Note Make sure to follow the instructions in this section sequentially. Make sure to update DOCA on the host side first before installing the BFB Bundle on the BlueField.

Find the DOCA installation files for host and BlueField from the NVIDIA DOCA Downloads page.

If an older DOCA (or MLNX_OFED) software version is installed on your host, make sure to uninstall it before proceeding with the installation of the new version:

Deb-based Copy Copied! $ for f in $( dpkg --list | grep doca | awk '{print $2}' ); do echo $f ; apt remove --purge $f -y ; done $ /usr/sbin/ofed_uninstall.sh --force $ sudo apt-get autoremove RPM-based Copy Copied! host# for f in $(rpm -qa | grep -i doca ) ; do yum -y remove $f; done host# /usr/sbin/ofed_uninstall.sh --force host# yum autoremove host# yum makecache

Install RShim to manage and flash the BlueField platform.

OS Procedure Deb-based Download the DOCA host repo from the NVIDIA DOCA Downloads page. Unpack the deb repo. Run: Copy Copied! host# sudo dpkg -i <repo_file> Perform apt update. Run: Copy Copied! host# sudo apt-get update Run apt install for RShim: Copy Copied! host# sudo apt install rshim RPM-based Download the DOCA host repo from the NVIDIA DOCA Downloads page. Unpack the RPM repo. Run: Copy Copied! host# sudo rpm -Uvh <repo_file> Enable new dnf repos. Run: Copy Copied! host# sudo dnf makecache Run dnf install to install RShim: Copy Copied! host# sudo dnf install rshim

Note Skip section "Installing Software on Host" if you intend to update only the BlueField software ( *.bfb ). The RShim driver is sufficient for that purpose.

This section highlights the signing methods used to ensure the authenticity and integrity of the packages and the kernel modules.

RPM packages are signed using a GPG key, allowing users to verify that the packages originate from a trusted NVIDIA source and have not been tampered with.

For the package manager to verify the signature:

Obtain the public GPG Key by d ownloading NVIDIA's RPM-GPG-KEY-Mellanox-SHA256 key: Copy Copied! # wget http://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox-SHA256 --2018-01-25 13:52:30-- http://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox-SHA256 Resolving www.mellanox.com... 72.3.194.0 Connecting to www.mellanox.com|72.3.194.0|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1354 (1.3K) [text/plain] Saving to: ?RPM-GPG-KEY-Mellanox-SHA256? 100%[=================================================>] 1,354 --.-K/s in 0s 2018-01-25 13:52:30 (247 MB/s) - ?RPM-GPG-KEY-Mellanox-SHA256? saved [1354/1354] Import the public key to the package manager 's key ring: Copy Copied! # sudo rpm --import RPM-GPG-KEY-Mellanox-SHA256 warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 6224c050: NOKEY Retrieving key from file:///repos/MLNX_OFED//RPM-GPG-KEY-Mellanox Importing GPG key 0x6224C050: Userid: "Mellanox Technologies (Mellanox Technologies - Signing Key v2) " From : /repos/MLNX_OFED//RPM-GPG-KEY-Mellanox-SHA256 Is this ok [y/N]: Verify that the key is successfully imported: Copy Copied! # rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}

' | grep Mellanox gpg-pubkey-a9e4b643-520791ba gpg(Mellanox Technologies ) Update the package manager: Copy Copied! sudo yum update

Kernel drivers are signed using NVIDIA's x.509 public key , allowing users to verify that the drivers originate from a trusted NVIDIA source and have not been tampered with.

To support loading DOCA-HOST drivers on a secure-boot-enabled OS, the NVIDIA x.509 public key should be added to the key database by following these steps:

Obtain NVIDIA's public x.509 key : Copy Copied! # wget http: Note Builds for SLES15 SP4 and SP5 are signed with a newer signing key. The corresponding public key can be downloaded from this link. Import the public key to the MOK list using the mokutil utility: Copy Copied! # mokutil -- import mlnx_signing_key_pub.der Info Users will be asked to enter and confirm a password for this MOK enrollment request. Reboot the system.

Note Skip this section if you intend to update only the BlueField software ( *.bfb ). The RShim driver is sufficient for that purpose.

Note Make sure to have followed the instructions under "Installing Prerequisites on Host for Target BlueField".

If the kernel version on your host is not supported (not shown under section "Supported Host OS and Features per DOCA-Host Installation Profile"), users may opt to either:

Switch to a compatible kernel; or

Install doca-extra package and run doca-kernel-support

doca-kernel-support is a script intended to rebuild kernel modules included with DOCA-host for cases where they are not provided. It builds a single package (i.e., rpm or deb ) that contains a repository of packages (i.e., dnf or apt ).

DOCA-host provides binary builds of kernel modules for some specific kernels. This script rebuilds kernel modules included with DOCA-host for a custom kernel version and creates an RPM or DEB package that holds all of those rebuilt modules for easy install.

Note doca-kernel-support does not support customized or unofficial kernels.

To run doca-kernel-support :

Run: Copy Copied! host# apt/yum install -y doca-extra Execute the doca-kernel-support script which rebuilds and installs the DOCA-host kernel modules with the running kernel: Copy Copied! host# /opt/mellanox/doca/tools/doca-kernel-support The output may end with rpm or deb with the following general format: Copy Copied! doca-kernel-support: Built single package : <doca-kernel-repo> doca-kernel-support: Done Output example: Copy Copied! doca-kernel-support: Built single package : /tmp/DOCA.EuUfkWfV7Z/doca-kernel-repo- 2.9 . 0 - 1 .kver. 5.14 . 0.356 .el9.x86. 64 .x86_64.rpm doca-kernel-support: Done Note doca-kernel-support does not support customized or unofficial kernels. Install the generated meta-package on the desired DOCA profile: Info The examples provided install DOCA kernel repos (RPM/DEB) with doca-ofed profile, but other profiles may be installed if they are supported. Format for RPM-based distributions: Copy Copied! host# rpm -i <doca-kernel-repo> host# dnf makecache host# dnf install <doca-userspace-metapackage> host# dnf install --disablerepo=doca doca-kernel-KERNEL_VERSION # For all the meta- package , not just this single package Example: Copy Copied! host# rpm -i /tmp/DOCA.EuUfkWfV7Z/doca-kernel-repo- 2.9 . 0 - 1 .kver. 5.14 . 0.356 .el9.x86. 64 .x86_64.rpm host# dnf makecache host# dnf install doca-ofed-userspace host# dnf install --disablerepo=doca doca-kernel- 5.14 . 0.356 .el9.x86. 64 .x86_64.noarch

Format for DEB-based distributions: Copy Copied! host# dpkg -i <doca-kernel-repo> host# apt update host# apt install <doca-profile> Example: Copy Copied! host# dpkg -i /tmp/DOCA.J8JYxEmffD/doca-kernel-repo- 2.9 . 0 - 6.4 . 0 .mlnx_2. 9 .0_amd64.deb host# apt update host# apt install doca-ofed (Optional) Retrieve installed packages and their versions as part of DOCA Host installation: Collapse Source Copy Copied! host# /opt/mellanox/doca/tools/doca-info Versions: - DOCA Base MLNX_OFED_LINUX- 24.07 - 0.5 . 5.0 - MFT 4.29 . 0 - 127 UEFI\ATF versions: - mst_device: mt41692_pciconf0 UEFI Version: 4.7 . 0 - 42 -g13081ae ATF Version: 4.7 . 0 - 25 -g5569834 Firmware (Current): - BlueField- 3 32.41 . 1000 DOCA: - doca-all 2.8 . 0 - 0.0 . 4 - doca-apsh-config 2.8 . 0079 - 1 - doca-bench 2.8 . 0079 - 1 … DOCA Dependencies: … - flexio 24.07 . 2300 - mlnx-dpdk 22.11 . 0 - 2407.0 . 10 OFED: … - rdma-core 2407mlnx52- 1.2407055 … - ucx 1.17 . 0 - 1.2407055 … Note If BlueField has a BF-Bundle version older than 2.7.0 installed on it, the UEFI/ATF versions would appear as N/A. If your version is 2.7.0 or higher and still see N/A, then perform driver restart on the host: Copy Copied! /etc/init.d/openibd restart

To update existing DOCA host packages, follow these steps:

Install the newer version of the DOCA host repository as detailed in the section titled "Installing Software on Host". Upgrade the DOCA packages To upgrade from DOCA version 2.5.x, all DOCA and OFED related packages should be removed . For detailed instructions on how to uninstall these packages, please refer to the uninstall section "Uninstalling Software from Host".

To upgrade from DOCA 2.6.0 and later, use the following command: For DEB-based distributions: Copy Copied! host# apt install doca-all For RPM-based distributions: Copy Copied! host# yum upgrade doca-all

Before upgrading mlnx-fw-updater , make sure to restart MST first: Copy Copied! host# mst restart

NVIDIA provides DOCA packages to be installed on common OSs. These packages are provided as binaries, and NVIDIA provides full support for them.

NVIDIA also provides a support model for DOCA used on open-source community OSs. The goal of this new support model is to enable customers to use community-maintained variants of the Linux OS, without being limited to the distributions that NVIDIA provides primary support for.

In the community model, there is shared responsibility between NVIDIA and customers choosing to use community OSs in their environment:

NVIDIA owns basic validation for the OSs, so that customers know they can expect DOCA to work.

Customers are responsible for building their own packages and binaries (based on source code and build instructions detailed below), and can also choose to deploy parts of DOCA instead of the whole package

Note NVIDIA provides support to customers and partners with Support contracts. In certain cases, NVIDIA will require the customer to work with the community to fix issues deemed to be caused by the community breaking DOCA.

To install doca-host-community on a host, follow these steps:

Install the doca-host-community repository that includes sources and tools to generate the DOCA community repo: For RPM-based packages: Copy Copied! host# rpm -Uvh doca-host-repo-community-{doca_version}.noarch.rpm Example: Copy Copied! host# rpm -Uvh doca-host-repo-community- 2.9 . 0 - 0.2 . 9.24 . 10.0 . 5.2 . 0 .noarch.rpm

For DEB-based packages: Copy Copied! host# dpkg -i doca-host_{doca_version}-community_all.deb Example: Copy Copied! host# dpkg -i doca-host_2. 9.0 - 100000 - 24.10 -community_all.deb Run the build script to generate the doca-host-community repository: Copy Copied! host# /opt/mellanox/doca/tools/doca-community-build The script output should include a line similar to the following: For RPM-based packages: Copy Copied! host# doca-community-build: Built single package : /tmp/DOCA.Lz1pntWcGM/doca-community-repo- 24.10 . 0.5 . 2.0 - 1 .kver. 4.18 . 0.477 . 10.1 .el8. 8 .x86. 64 .x86_64.rpm

For DEB-based packages: Copy Copied! host# doca-community-build: Built single package : /tmp/DOCA.gcVyNokLfV/doca-community-repo- 24.10 - 0.5 . 2.0 - 6.8 . 0.31 .generic_24. 10.0 . 5.2 .0_amd64.deb Info The binary created by the script can be copied to any similar machine with the same kernel It contains all of the doca-ofed profile built packages, with extra meta-package that depends on those packages, installing the meta-package will install all of the built packages The resulting DOCA community repo should be ready for installation on this host or distributed to any other similar machine with the same distribution and kernel: For RPM-based (non-SLES) packages: Copy Copied! host# yum install /tmp/DOCA.m6rIcEJNKl/doca-community-repo- 24.10 . 0.4 . 6.0 - 1 .kver. 5.14 . 0.427 . 13.1 .el9. 4 .x86. 64 .x86_64.rpm host# yum makecache

For SLES RPM-based packages: Copy Copied! host# zypper install /tmp/DOCA.m6rIcEJNKl/doca-community-repo- 24.10 . 0.4 . 6.0 - 1 .kver. 5.14 . 0.427 . 13.1 .el9. 4 .x86. 64 .x86_64.rpm host# zypper refresh

For DEB-based packages: Copy Copied! host# apt install /tmp/DOCA.gcVyNokLfV/doca-community-repo- 24.10 - 0.5 . 2.0 - 6.8 . 0.31 .generic_24. 10.0 . 5.2 .0_amd64.deb host# apt update Install doca-ofed-community meta-package: Copy Copied! host# yum/apt install doca-ofed-community

The installation procedure does not install proprietary packages. Those packages are installed upon request.

List of close-source proprietary packages:

Clusterkit

DPCP

hcoll

sharp

ibutils2

opensm

Currently, the only way to install these packages is by using an already-built RPM or DEB file from a similar primary OS.

The following table maps community OSs which are most similar to primary OSs:

Community OS Most Similar Primary OS Alma 8.5 RHEL 8.5 Anolis OS 8.4 RHEL 8.5 CentOS Stream 8 RHEL 8 CentOS Stream 9 RHEL 9 EulerOS-V2.0.SP10 EulerOS-V2.0.SP11 Fedora 35 RHEL 8.5 OpenEuler-20.03.SP1 OpenEuler20 SP3 OpenSUSE 15.3 SLES15 SP3 Photon OS 3.0 RHEL 7.9 UOS-V20-1040d Debian 10.8

Before installation, search for the required package using your system's package manager: Copy Copied! # apt/zypper/dnf/yum search mlnx-nvme # apt/zypper/dnf/yum search mlnx-nfsrdma Once the correct package name is identified, install it using: Copy Copied! # apt/zypper/dnf/yum install <full- package -name>

Installation examples:

For SLES: Copy Copied! # zypper search mlnx-nvme # zypper install mlnx-nvme-kmp- default

For Debian-based systems: Copy Copied! # apt search mlnx-nvme # apt search mlnx-nfsrdma # apt install mlnx-nvme-dkms # apt install mlnx-nfsrdma-dkms

Warning ATF will not boot 150W BlueField-3 platforms if the ATX +12V is not connected. This is meant to ensure proper operation of the BlueField. For information on connecting the external power supply connector, please refer to the NVIDIA BlueField-3 Networking Platform User Guide.

Users have two options for installing DOCA on BlueField DPU or SuperNIC:

Upgrading the full DOCA image on BlueField (recommended) – this option overwrites the entire boot partition with an Ubuntu 22.04 installation and updates BlueField and NIC firmware.

Upgrading DOCA online repo package on BlueField – this option upgrades DOCA components without overwriting the boot partition. Use this option to preserve configurations or files on BlueField itself.

Warning This step overwrites the entire boot partition.

Note This installation sets up the OVS bridge.

Note To change the default Ubuntu password during the BFB bundle installation, proceed to Option 2.

BFB installation is executed as follows:

Copy Copied! host# sudo bfb-install --rshim rshim<N> --bfb <image_path.bfb>

Where rshim<N> is rshim0 if you only have one Bluefield. You may run the following command to verify:

Copy Copied! host# ls -la /dev/ | grep rshim





Ubuntu users can provide a unique password that will be applied at the end of the BlueField BFB bundle installation. This password needs to be defined in a bf.cfg configuration file.

To set the password for the "ubuntu" user:

Create password hash. Run: Copy Copied! host# openssl passwd - 1 Password: Verifying - Password: $ 1 $3B0RIrfX$TlHry93NFUJzg3Nya00rE1 Add the password hash in quotes to the bf.cfg file: Copy Copied! host# echo ubuntu_PASSWORD= '$1$3B0RIrfX$TlHry93NFUJzg3Nya00rE1' > bf.cfg When running the installation command, use the --config flag to provide the file containing the password: Copy Copied! host# sudo bfb-install --rshim rshim<N> --bfb <image_path.bfb> --config bf.cfg Note Optionally, to upgrade the BlueField integrated BMC firmware using BFB bundle, please provide the current BMC root credentials in a bf.cfg file, as shown in the following: Copy Copied! BMC_PASSWORD= "<root password>" BMC_USER= "root" BMC_REBOOT= "yes" Unless previously changed, the default BMC root password is 0penBmc . Note If --config is not used, then upon first login to the BlueField device, users will be prompted to update the default 'ubuntu' password. The following is an example of Ubuntu-22.04 BFB bundle installation (Release version may vary in the future). Collapse Source Copy Copied! host# sudo bfb-install --rshim rshim0 --bfb bf-bundle- 2.7 .0_24.04_ubuntu- 22 .04_prod.bfb --config bf.cfg Pushing bfb 1 .41GiB 0 : 02 : 02 [ 11 .7MiB/s] [ <=> ] Collecting BlueField booting status. Press Ctrl+C to stop INFO[PSC]: PSC BL1 START INFO[BL2]: start INFO[BL2]: boot mode (rshim) INFO[BL2]: VDDQ: 1120 mV INFO[BL2]: DDR POST passed INFO[BL2]: UEFI loaded INFO[BL31]: start INFO[BL31]: lifecycle GA Secured INFO[BL31]: VDD: 850 mV INFO[BL31]: runtime INFO[BL31]: MB ping success INFO[UEFI]: eMMC init INFO[UEFI]: eMMC probed INFO[UEFI]: UPVS valid INFO[UEFI]: PMI: updates started INFO[UEFI]: PMI: total updates: 1 INFO[UEFI]: PMI: updates completed, status 0 INFO[UEFI]: PCIe enum start INFO[UEFI]: PCIe enum end INFO[UEFI]: UEFI Secure Boot INFO[UEFI]: PK configured INFO[UEFI]: Redfish enabled INFO[UEFI]: exit Boot Service INFO[MISC]: Found bf.cfg INFO[MISC]: Ubuntu installation started INFO[MISC]: Installing OS image INFO[MISC]: Changing the default password for user ubuntu INFO[MISC]: Ubuntu installation completed INFO[MISC]: Updating NIC firmware... INFO[MISC]: NIC firmware update done INFO[MISC]: Installation finished To verify the BlueField has completed booting up, allow additional 90 seconds then perform the following: Copy Copied! host# sudo cat /dev/rshim<N>/misc ... INFO[MISC]: Linux up INFO[MISC]: DPU is ready Retrieve installed packages and their versions as part of BF-Bundle installation: Log into BlueField. Run the following: Copy Copied! bf# sudo bf-info Example output: Copy Copied! Versions: - ATF: v2. 2 (release): 4.9 . 0 - 16 -g221717c68 - UEFI: 4.9 . 0 - 37 -gcbeaab0650 - BSP: 4.9 . 0.13322 - NIC Firmware: 32.43 . 0356 - DOCA Base (OFED): 24.10 - 0.5 . 1.0 ... Storage: - mlnx-libsnap 1.6 . 0 - 1 - spdk 23.01 . 5 - 24 - virtio-net-controller 24.10 . 15 - 1 DOCA: - doca-apsh-config 2.9 . 0064 - 1 - libdoca-sdk-urom-dev 2.9 . 0064 - 1 ... FlexIO: - flexio-samples 24.10 . 2447 - flexio-sdk 24.10 . 2447 ... SoC Platform: - mlxbf-gige-modules 1.0 - 0 .kver. 6.1 . 0 - 11 -arm64 - sdhci-of-dwcmshc-modules 1.0 - 0 .kver. 6.1 . 0 - 11 -arm64 ... OFED: rdma-core 2410mlnx54- 1.2410051 ucx 1.18 . 0 - 1.2410051 ... Configure the tmfifo_net0 interface over IPv4 for SSHing into the BlueField Arm OS : Copy Copied! host# ifconfig tmfifo_net0 192.168 . 100.1 / 24 Info SSH into the BlueField Arm OS with 192.168.100.2 (preconfigured default).

Note This operation is only required if the user skipped NIC firmware update during BFB bundle installation using the parameter WITH_NIC_FW_UPDATE=no in the bf.cfg file.

This section explains how to update the NIC firmware on a DOCA installed BlueField OS.

Note If multiple BlueFields are installed, the following steps must be performed on all of them after BFB installation.

An up-to-date NIC firmware image is provided in BlueField BFB bundle and copied to the BlueField filesystem during BFB installation.

To upgrade firmware in the BlueField Arm OS:

SSH to your BlueField Arm OS by any means available. The following instructions enable to login to the BlueField Arm OS from the host OS over the RShim virtual interface, tmfifo_net<N> and do not require LAN connectivity with the BlueField OOB network port. Note This operation can be performed over the host's tmfifo_net0 IPv4, 192.168.100.1 (preconfigured) with BlueField Arm OS at 192.168.100.2 (default). The default credentials for Ubuntu are as follows: Username Password ubuntu ubuntu For example, to log into BlueField Arm OS over IPv6: Copy Copied! host]# systemctl restart rshim host]# ssh - 6 fe80::21a:caff:feff:ff01%tmfifo_net<N> Password: <configured-password> Upgrade firmware in BlueField. Run: Copy Copied! dpu# sudo /opt/mellanox/mlnx-fw-updater/mlnx_fw_updater.pl --force-fw-update Example output: Copy Copied! Device # 1 : ---------- Device Type: BlueField- 2 [...] Versions: Current Available FW <Old_FW> <New_FW> For the firmware upgrade to take effect perform a BlueField system reboot.