Created on Jan 18, 2026

This Reference Deployment Guide (RDG) provides comprehensive instructions for deploying the NVIDIA DOCA Platform Framework (DPF) with the DOCA Argus service on high-performance, bare-metal infrastructure in Zero-Trust mode. It focuses on the setup and use of DPU-based services on NVIDIA® BlueField®-3 DPUs to deliver secure, isolated, and hardware-accelerated environments.

The guide is intended for experienced system administrators, systems engineers, and solution architects who build highly secure bare-metal environments using NVIDIA BlueField DPUs for acceleration, isolation, and infrastructure offload.

This document is an extension of the RDG for DPF Zero Trust (DPF-ZT) - NVIDIA Docs (referred to as the Baseline RDG ). It details the additional steps and modifications required to deploy the Argus Service into the Baseline RDG environment.

Note This reference implementation, as the name implies, is a specific, opinionated deployment example designed to address the use case described above.

Although other approaches may exist for implementing similar solutions, this document provides a detailed guide for this specific method.

Term Definition Term Definition BFB BlueField Bootstream NFS Network File System DOCA Data Center Infrastructure-on-a-Chip Architecture OOB Out-of-Band DPF DOCA Platform Framework OVN Open Virtual Network DPU Data Processing Unit PF Physical Function K8S Kubernetes RDG Reference Deployment Guide KVM Kernel-based Virtual Machine RDMA Remote Direct Memory Access MAAS Metal as a Service RoCE RDMA over Converged Ethernet MTU Maximum Transmission Unit VPC Virtual Private Cloud NGC NVIDIA GPU Cloud ZT Zero Trust

The NVIDIA BlueField-3 Data Processing Unit (DPU) is a 400 Gb/s infrastructure compute platform designed for line-rate processing of software-defined networking, storage, and cybersecurity workloads. It combines powerful compute resources, high-speed networking, and advanced programmability to deliver hardware-accelerated, software-defined solutions for modern data centers.

NVIDIA DOCA unleashes the full potential of the BlueField platform by enabling rapid development of applications and services that offload, accelerate, and isolate data center workloads.

One such service is the DOCA Argus Service provides Workload Threat Detection is a novel approach for container threat detection in AI workloads and microservices, utilizing a Bluefield DPU to perform live machine introspection at the hardware level. This approach analyzes specific snippets of volatile memory to provide real-time visibility into container activity and behavior at the network, host, and application levels.

The state of container node images is continuously monitored in real-time, checking for deviations from their secure, compliant versions and configurations to detect and stop runtime attacks. These insights also include the ability to identify attacks targeting network facing applications/services.

The Argus service provides events and data on any object on the OS (host/VM) without any configuration needed and without any active part from the user or the host.

Examples what Argus service provides:

Any new processes with its PID, name, attributes, and status.

Reverse shells with process and network connection details such as source & destination IP and number of transferred bytes.

SHA256 hash of running executable and loaded libraries

However, deploying and managing DPUs, especially at scale, presents operational challenges. Without a robust provisioning and orchestration system, tasks such as lifecycle management, service deployment, and network configuration for service function chaining (SFC) can quickly become complex and error prone. This is where the DOCA Platform Framework (DPF) comes into play.

DPF automates the full DPU lifecycle, and simplifies advanced network configurations. With DPF, services can be deployed seamlessly, allowing for efficient offloading and intelligent routing of traffic through the DPU data plane.

By leveraging DPF, users can scale and automate DPU management across Bare Metal, Virtual, and Kubernetes customer environments - optimizing performance while simplifying operations.

DPF supports multiple deployment models. This guide focuses on the Zero Trust bare-metal deployment model. In this scenario:

The DPU is managed through its Baseboard Management Controller (BMC)

through its All management traffic occurs over the DPU's out-of-band (OOB) network

network The host is considered as an untrusted entity towards the data center network. The DPU acts as a barrier between the host and the network.

The host sees the DPU as a standard NIC, with no access to the internal DPU management plane (Zero Trust Mode)

This Reference Deployment Guide (RDG) provides a step-by-step example for installing DPF in Zero-Trust mode. It also includes practical demonstrations of performance optimization, validated using standard RDMA and TCP workloads.

As part of the reference implementation, open-source components outside the scope of DPF (e.g., MAAS, pfSense, Kubespray) are used to simulate a realistic customer deployment environment. The guide includes the full end-to-end deployment process, including:

Infrastructure provisioning

DPF deployment

DPU provisioning (redfish)

Service configuration and deployment

Service chaining.

This document extends the capabilities of the DPF-managed Kubernetes cluster described in the RDG for DPF Zero Trust (DPF-ZT) - NVIDIA Docs (referred to as the Baseline RDG) by deploying the NVIDIA DOCA Argus Service within the existing DPF deployment to achieve a comprehensive, accelerated infrastructure.

NVIDIA BlueField® Data Processing Unit (DPU) The NVIDIA® BlueField® data processing unit (DPU) ignites unprecedented innovation for modern data centers and supercomputing clusters. With its robust compute power and integrated software-defined hardware accelerators for networking, storage, and security, BlueField creates a secure and accelerated infrastructure for any workload in any environment, ushering in a new era of accelerated computing and AI.



NVIDIA DOCA Software Framework NVIDIA DOCA™ unlocks the potential of the NVIDIA® BlueField® networking platform. By harnessing the power of BlueField DPUs and SuperNICs, DOCA enables the rapid creation of applications and services that offload, accelerate, and isolate data center workloads. It lets developers create software-defined, cloud-native, DPU- and SuperNIC-accelerated services with zero-trust protection, addressing the performance and security demands of modern data centers.



NVIDIA ConnectX SmartNICs 10/25/40/50/100/200 and 400G Ethernet Network Adapters The industry-leading NVIDIA® ConnectX® family of smart network interface cards (SmartNICs) offer advanced hardware offloads and accelerations. NVIDIA Ethernet adapters enable the highest ROI and lowest Total Cost of Ownership for hyperscale, public and private clouds, storage, machine learning, AI, big data, and telco platforms.



NVIDIA LinkX Cables The NVIDIA® LinkX® product family of cables and transceivers provides the industry’s most complete line of 10, 25, 40, 50, 100, 200, and 400GbE in Ethernet and 100, 200 and 400Gb/s InfiniBand products for Cloud, HPC, hyperscale, Enterprise, telco, storage and artificial intelligence, data center applications.



NVIDIA Spectrum Ethernet Switches Flexible form-factors with 16 to 128 physical ports, supporting 1GbE through 400GbE speeds. Based on a ground-breaking silicon technology optimized for performance and scalability, NVIDIA Spectrum switches are ideal for building high-performance, cost-effective, and efficient Cloud Data Center Networks, Ethernet Storage Fabric, and Deep Learning Interconnects. NVIDIA combines the benefits of NVIDIA Spectrum™ switches, based on an industry-leading application-specific integrated circuit (ASIC) technology, with a wide variety of modern network operating system choices, including NVIDIA Cumulus® Linux , SONiC and NVIDIA Onyx®.



NVIDIA Cumulus Linux NVIDIA® Cumulus® Linux is the industry's most innovative open network operating system that allows you to automate, customize, and scale your data center network like no other.



Kubernetes Kubernetes is an open-source container orchestration platform for deployment automation, scaling, and management of containerized applications.



Kubespray Kubespray is a composition of Ansible playbooks, inventory, provisioning tools, and domain knowledge for generic OS/Kubernetes clusters configuration management tasks and provides: A highly available cluster Composable attributes Support for most popular Linux distributions



The logical design includes the following components:

1 x Hypervisor node (KVM-based) with ConnectX-7: 1 x Firewall VM 1 x Jump Node VM 1 x MaaS VM 3 x K8s Master VMs running all K8s management components

1 x Worker nodes (PCI Gen5), each with a 1 x BlueField-3 NIC

Single High-Speed (HS) switch

1 Gb Host Management network

The pfSense firewall in this solution serves a dual purpose:

Firewall—provides an isolated environment for the DPF system, ensuring secure operations

Router—enables Internet access for the management network

Port-forwarding rules for SSH and RDP are configured on the firewall to route traffic to the jump node’s IP address in the host management network. From the jump node, administrators can manage and access various devices in the setup, as well as handle the deployment of the Kubernetes (K8s) cluster and DPF components.

The following diagram illustrates the firewall design used in this solution:

Warning Make sure to use the exact same versions for the software stack as described above.

These are the definitions and parameters used for deploying the demonstrated fabric:

Switches Ports Usage Hostname Rack ID Ports mgmt-switch 1 swp1-2 hs-switch 1 swp1-2

Hosts Rack Server Type Server Name Switch Port IP and NICs Default Gateway Rack1 Hypervisor Node hypervisor mgmt-switch: swp1 hs-switch: swp1 lab-br (interface eno1): Trusted LAN IP mgmt-br (interface eno2): - hs-br (interface enp1s0): - Trusted LAN GW Rack1 Firewall (Virtual) fw - WAN (lab-br): Trusted LAN IP LAN (mgmt-br): 10.0.110.254/24 OPT1(hs-br): 10.0.123.254/22 Trusted LAN GW Rack1 Jump Node (Virtual) jump - enp1s0: 10.0.110.253/24 10.0.110.254 Rack1 MaaS (Virtual) maas - enp1s0: 10.0.110.252/24 10.0.110.254 Rack1 Master Node (Virtual) master1 - enp1s0: 10.0.110.1/24 10.0.110.254 Rack1 Master Node (Virtual) master2 - enp1s0: 10.0.110.2/24 10.0.110.254 Rack1 Master Node (Virtual) master3 - enp1s0: 10.0.110.3/24 10.0.110.254 Rack1 Worker Node worker1 mgmt-switch: swp2(DPU OOB) hs-switch: swp2 dpubmc: 10.0.110.21/24 ens1f0v2: DHCP 10.0.110.254 10.0.123.254

As a best practice, make sure to use the latest released Cumulus Linux NOS version.

For information on how to upgrade Cumulus Linux, refer to the Cumulus Linux User Guide.

The SN3700 switch ( hs-switch ), is configured as follows:

SN3700 Switch Console Collapse Source Copy Copied! nv set bridge domain br_hs untagged 1 nv set interface swp1-2 bridge domain br_hs nv set interface swp1-2 link state up nv set interface swp1-2 type swp nv config apply -y nv config save -y

The SN2201 switch ( mgmt-switch ) is configured as follows:

SN2201 Switch Console Collapse Source Copy Copied! nv set interface swp1-2 link state up nv set interface swp1-2 type swp nv set interface swp1-2 bridge domain br_default nv set bridge domain br_default untagged 1 nv config apply nv config save -y

Warning Make sure that the BIOS settings on the worker node servers have SR-IOV enabled and that the servers are tuned for maximum performance. All worker nodes must have the same PCIe placement for the BlueField-3 NIC and must display the same interface name. Make sure that you have DPU BMC and OOB MAC addresses.

No change from the Reference Deployment Guide (Baseline RDG) (Section "Deployment and Configuration", Subsection " Host Configuration ").

No change from the Baseline RDG (Section "Deployment and Configuration", Subsection "Hypervisor Installation and Configuration").

No change from the Baseline RDG (Section "Deployment and Configuration", Subsection "Prepare Infrastructure Servers") regarding Firewall VM, Jump VM, MaaS VM.

No change from the Baseline RDG (Section "Deployment and Configuration", Subsection "Provision Master VMs Using MaaS").

The procedures for initial Kubernetes cluster deployment using Kubespray for the master nodes, and subsequent verification, remain unchanged from the Baseline RDG (Section "K8s Cluster Deployment and Configuration", Subsections: "Kubespray Deployment and Configuration", "Deploying Cluster Using Kubespray Ansible Playbook","K8s Deployment Verification".

The DPF installation process (Operator, System components) largely follows the Baseline RDG.

Start by installing the remaining software perquisites. Jump Node Console Collapse Source Copy Copied! ## Connect to master1 to copy helm client utility that was installed during kubespray deployment $ depuser@jump:~$ ssh master1 depuser@master1:~$ cp /usr/local/bin/helm /tmp/ ## In another tab depuser@jump:~$ scp master1:/tmp/helm /tmp/ depuser@jump:~$ sudo chown root:root /tmp/helm depuser@jump:~$ sudo mv /tmp/helm /usr/local/bin/ ## Verify that envsubst utility is installed depuser@jump:~$ which envsubst /usr/bin/envsubst Proceed to clone the doca-platform Git repository: Jump Node Console Collapse Source Copy Copied! $ git clone https://github.com/NVIDIA/doca-platform.git Change directory to doca-platform and checkout to tag v25.10.0: Jump Node Console Collapse Source Copy Copied! $ cd doca-platform/ $ git checkout v25.10.0 Change directory to readme.md from where all the commands will be run: Jump Node Console Collapse Source Copy Copied! $ cd doca-platform/dpuservices/argus/ Modify the variables in manifests/00-env-vars/argus_vars.env to fit your environment, then source the file: manifests/00-env-vars/argus_vars.env Collapse Source Copy Copied! export TARGETCLUSTER_API_SERVER_HOST=10.0.110.10 export DPUCLUSTER_VIP=10.0.110.200 export DPUCLUSTER_INTERFACE=ens160 export NFS_SERVER_IP=10.0.110.253 export HELM_REGISTRY_REPO_URL=https://helm.ngc.nvidia.com/nvidia/doca export REGISTRY=https://helm.ngc.nvidia.com/nvidia/doca export TAG=v25.10.0 export BFB_URL= "https://content.mellanox.com/BlueField/BFBs/Ubuntu24.04/bf-bundle-3.2.1-34_25.11_ubuntu-24.04_64k_prod.bfb" export IP_RANGE_START=10.0.110.201 export IP_RANGE_END=10.0.110.204 export BMC_ROOT_PASSWORD=< set your BMC_ROOT_PASSWORD> export ARGUS_NGC_IMAGE_URL=nvcr.io/nvidia/doca/doca_argus:1.0.0-doca3.1.0 Export environment variables for the installation: Jump Node Console Collapse Source Copy Copied! $ source argus_vars.env

No change from the Baseline RDG (Section "DPF Installation", Subsection "DPF Operator Installation").

No change from the Baseline RDG (Section "DPF Installation", Subsection "DPF System Installation").

Before deploying the objects under doca-platform/dpuservices/argus/ directory, a few adjustments are required.

Use the following YAML to define a BFB resource that downloads the Bluefield Bitstream to a shared volume : bfb.yaml Collapse Source Copy Copied! --- apiVersion: provisioning.dpu.nvidia.com/v1alpha1 kind: BFB metadata: name: bf-bundle namespace: dpf-operator-system spec: url: $BFB_URL Run the command to create the BFB : Jump Node Console Collapse Source Copy Copied! $ cat bfb.yaml | envsubst |kubectl apply -f - Change the DPUFlavor using the following YAML: DPUFlavor.yaml Collapse Source Copy Copied! --- apiVersion: provisioning.dpu.nvidia.com/v1alpha1 kind: DPUFlavor metadata: name: dpf-provisioning-argus namespace: dpf-operator-system spec: bfcfgParameters: - UPDATE_ATF_UEFI=yes - UPDATE_DPU_OS=yes - WITH_NIC_FW_UPDATE=yes configFiles: - operation: override path: /etc/mellanox/mlnx-bf.conf permissions: "0644" raw: | ALLOW_SHARED_RQ= "no" IPSEC_FULL_OFFLOAD= "no" ENABLE_ESWITCH_MULTIPORT= "yes" - operation: override path: /etc/mellanox/mlnx-ovs.conf permissions: "0644" raw: | CREATE_OVS_BRIDGES= "no" OVS_DOCA= "yes" - operation: override path: /etc/mellanox/mlnx-sf.conf permissions: "0644" raw: "" grub: kernelParameters: - console=hvc0 - console=ttyAMA0 - earlycon=pl011, 0x13010000 - fixrttc - net.ifnames= 0 - biosdevname= 0 - iommu.passthrough= 1 - cgroup_no_v1=net_prio,net_cls - hugepagesz=2048kB - hugepages= 3072 nvconfig: - device: '*' parameters: - PF_BAR2_ENABLE= 0 - PER_PF_NUM_SF= 1 - PF_TOTAL_SF= 20 - PF_SF_BAR_SIZE= 10 - NUM_PF_MSIX_VALID= 0 - PF_NUM_PF_MSIX_VALID= 1 - PF_NUM_PF_MSIX= 228 - INTERNAL_CPU_MODEL= 1 - INTERNAL_CPU_OFFLOAD_ENGINE= 0 - SRIOV_EN= 1 - NUM_OF_VFS= 46 - LAG_RESOURCE_ALLOCATION= 1 ovs: rawConfigScript: | _ovs-vsctl() { ovs-vsctl --no-wait --timeout 15 "$@" } _ovs-vsctl set Open_vSwitch . other_config:doca-init= true _ovs-vsctl set Open_vSwitch . other_config:dpdk-max-memzones= 50000 _ovs-vsctl set Open_vSwitch . other_config:hw-offload= true _ovs-vsctl set Open_vSwitch . other_config:pmd-quiet-idle= true _ovs-vsctl set Open_vSwitch . other_config:max-idle= 20000 _ovs-vsctl set Open_vSwitch . other_config:max-revalidator= 5000 _ovs-vsctl set Open_vSwitch . other_config:ctl-pipe-size= 1024 _ovs-vsctl -- if -exists del-br ovsbr1 _ovs-vsctl -- if -exists del-br ovsbr2 _ovs-vsctl --may-exist add-br br-sfc _ovs-vsctl set bridge br-sfc datapath_type=netdev _ovs-vsctl set bridge br-sfc fail_mode=secure _ovs-vsctl --may-exist add-port br-sfc p0 _ovs-vsctl set Interface p0 type=dpdk _ovs-vsctl set Port p0 external_ids:dpf-type=physical _ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-datapath-type=netdev _ovs-vsctl --may-exist add-br br-ovn _ovs-vsctl set bridge br-ovn datapath_type=netdev _ovs-vsctl br-set-external-id br-ovn bridge-id br-ovn _ovs-vsctl br-set-external-id br-ovn bridge-uplink puplinkbrovntobrsfc _ovs-vsctl --may-exist add-port br-ovn pf0hpf _ovs-vsctl set Interface pf0hpf type=dpdk Change the DPUDeployment.yaml file: DPUDeployment.yaml Collapse Source Copy Copied! --- apiVersion: svc.dpu.nvidia.com/v1alpha1 kind: DPUDeployment metadata: name: argus namespace: dpf-operator-system spec: dpus: bfb: bf-bundle dpuSets: - nameSuffix: dpuset-argus nodeSelector: matchLabels: feature.node.kubernetes.io/dpu-enabled: "true" flavor: dpf-provisioning-argus nodeEffect: noEffect: true serviceChains: switches: - ports: - serviceInterface: matchLabels: uplink: p0 upgradePolicy: applyNodeEffect: true services: argus: serviceConfiguration: argus serviceTemplate: argus Change the DPUServiceConfiguration.yaml file: DPUServiceConfiguration.yaml Collapse Source Copy Copied! --- apiVersion: svc.dpu.nvidia.com/v1alpha1 kind: DPUServiceConfiguration metadata: name: argus namespace: dpf-operator-system spec: deploymentServiceName: argus serviceConfiguration: helmChart: values: config: isLocalPath: false containerImage: $ARGUS_NGC_IMAGE_URL Change the DPUServiceTemplate.yaml file: DPUServiceTemplate.yaml Collapse Source Copy Copied! --- apiVersion: svc.dpu.nvidia.com/v1alpha1 kind: DPUServiceTemplate metadata: name: argus namespace: dpf-operator-system spec: deploymentServiceName: argus helmChart: source: chart: doca-argus repoURL: $HELM_REGISTRY_REPO_URL version: 1.0 . 0 Apply all of the YAML files mentioned above using the following command: Jump Node Console Collapse Source Copy Copied! $ cat DPUFlavor.yaml | envsubst | kubectl apply -f - $ cat DPUDeployment.yaml | envsubst | kubectl apply -f - $ cat DPUServiceConfiguration.yaml | envsubst | kubectl apply -f - $ cat DPUServiceTemplate.yaml | envsubst | kubectl apply -f - To follow the progress of DPU provisioning, run the following command to check its current phase: Jump Node Console Collapse Source Copy Copied! $ watch -n10 "kubectl describe dpu -n dpf-operator-system | grep 'Node Name\|Type\|Last\|Phase'" Every 10.0s: kubectl describe dpu -n dpf-operator-system | grep 'Node Name\|Type\|Last\|Phase' setup5-jump: Mon Jan 12 16:39:57 2026 Dpu Node Name: dpu-node-mt2337xz04qz Last Transition Time: 2026-01-12T13:57:52Z Type: BFBPrepared Last Transition Time: 2026-01-12T14:02:27Z Type: BFBTransferred Last Transition Time: 2026-01-12T13:57:52Z Type: FWConfigured Last Transition Time: 2026-01-12T13:57:51Z Type: InterfaceInitialized Last Transition Time: 2026-01-12T13:57:51Z Type: NodeEffectReady Last Transition Time: 2026-01-12T14:36:31Z Reason: OemLastState Type: OSInstalled Last Transition Time: 2026-01-12T13:57:51Z Type: BFBReady Last Transition Time: 2026-01-12T13:57:51Z Type: Initialized Last Transition Time: 2026-01-12T14:39:31Z Type: Rebooted Phase: Rebooting Wait for the Rebooted stage and then Power Cycle the bare-metal host manual. After the DPU is up, run following command for each DPU worker: Jump Node Console Collapse Source Copy Copied! $ kubectl -n dpf-operator-system annotate dpunode --all provisioning.dpu.nvidia.com/dpunode-external-reboot-required- At this point, the DPU workers should be added to the cluster. As they being added to the cluster, the DPUs are provisioned. Jump Node Console Collapse Source Copy Copied! $ watch -n10 "kubectl describe dpu -n dpf-operator-system | grep 'Node Name\|Type\|Last\|Phase'" Every 10.0s: kubectl describe dpu -n dpf-operator-system | grep 'Node Name\|Type\|Last\|Phase' setup5-jump: Mon Jan 12 17:30:14 2026 Dpu Node Name: dpu-node-mt2337xz04qz Type: InternalIP Type: Hostname Last Transition Time: 2026-01-12T15:29:52Z Type: Ready Last Transition Time: 2026-01-12T13:57:52Z Type: BFBPrepared Last Transition Time: 2026-01-12T14:02:27Z Type: BFBTransferred Last Transition Time: 2026-01-12T15:29:52Z Type: DPUClusterReady Last Transition Time: 2026-01-12T13:57:52Z Type: FWConfigured Last Transition Time: 2026-01-12T13:57:51Z Type: InterfaceInitialized Last Transition Time: 2026-01-12T13:57:51Z Type: NodeEffectReady Last Transition Time: 2026-01-12T15:29:52Z Type: NodeEffectRemoved Last Transition Time: 2026-01-12T14:36:31Z Reason: OemLastState Type: OSInstalled Last Transition Time: 2026-01-12T13:57:51Z Type: BFBReady Last Transition Time: 2026-01-12T13:57:51Z Type: Initialized Last Transition Time: 2026-01-12T15:29:52Z Type: Rebooted Phase: Ready At this point, the DPU workers should be added to the cluster. As they being added to the cluster, the DPUs are provisioned.

Finally, validate that all the different DPU-related objects are now in the Ready state: Jump Node Console Collapse Source Copy Copied! $ echo 'alias dpfctl="kubectl -n dpf-operator-system exec deploy/dpf-operator-controller-manager -- /dpfctl "' >> ~/.bashrc $ dpfctl describe dpudeployments NAME NAMESPACE STATUS REASON SINCE MESSAGE .... └─DPUDeployments └─DPUDeployment/argus dpf-operator-system Ready: True Success 15s ├─DPUServiceChains │ └─DPUServiceChain/argus-kjbb2 dpf-operator-system Ready: True Success 23h ├─DPUSets │ └─DPUSet/argus-dpuset-argus dpf-operator-system │ ├─BFB/bf-bundle dpf-operator-system Ready: True Ready 24h File: bf-bundle-3.2.1-34_25.11_ubuntu-24.04_64k_prod.bfb, DOCA: 3.2.1 │ └─DPUs │ └─DPU/dpu-node-mt2402xz0f7x-mt2402xz0f7x dpf-operator-system Ready: True DPUReady 34s └─Services ├─DPUServiceTemplates │ └─DPUServiceTemplate/argus dpf-operator-system Ready: True Success 23h └─DPUServices └─DPUService/argus-76pxl dpf-operator-system Ready: True Success 15s $ echo "alias ki='KUBECONFIG=/home/depuser/dpu-cluster.config kubectl'" >> ~/.bashrc $ kubectl get secrets -n dpu-cplane-tenant1 dpu-cplane-tenant1-admin-kubeconfig -o json | jq -r '.data["admin.conf"]' | base64 --decode > /home/depuser/dpu-cluster.config $ ki get node -A NAME STATUS ROLES AGE VERSION dpu-node-mt2337xz04qz-mt2337xz04qz Ready <none> 46m v1.34.3 $ kubectl get dpu -A NAMESPACE NAME READY PHASE AGE dpf-operator-system dpu-node-mt2337xz04qz-mt2337xz04qz True Ready 94m $ kubectl wait --for=condition=ready --namespace dpf-operator-system dpu --all dpu.provisioning.dpu.nvidia.com/dpu-node-mt2402xz0f7x-mt2402xz0f7x condition met

Here's a step-by-step procedure to check the DOCA Argus service on your NVIDIA BlueField DPU.

Note Ubuntu 24.04 was installed on the servers.

Open the first worker server console. Jump Node Console Collapse Source Copy Copied! $ ssh worker1 Add iommu configuration in the /etc/default/grub file: First BM Server Console Collapse Source Copy Copied! root @worker1 :~# vim /etc/ default /grub ## Add iommu=pt intel_iommu=on in GRUB_CMDLINE_LINUX_DEFAULT parameter GRUB_CMDLINE_LINUX_DEFAULT= "iommu.passthrough=1 intel_iommu=on" Reboot the server. Second BM Server Console Collapse Source Copy Copied! root @worker1 :~# reboot For test we will run the sleep 100 command. Second BM Server Console Collapse Source Copy Copied! root @worker1 :~# sleep 100 & C onnect to the first DPU OOB over SSH and change the OOB ubuntu's user password(d efault password is ubuntu). DPU BM Server Console Collapse Source Copy Copied! root @worker1 :~# ssh ubuntu @10 .0. 110.211 Run following command to see Argus log events about the sleep 100 process on the worker host. DPU BM Server Console Collapse Source Copy Copied! ubuntu @dpu -node-mt2402xz0f7x-mt2402xz0f7x:~$ jq 'select(.activity_data.process_details.process_name == "sleep") | .activity_data' /var/log/doca_argus_activity_report/doca_argus_log_MT2402XZ0F7XMLNXS0D0F0.log -C | less -R { "name" : "process_created" , "process_details" : { "process_id" : "2089" , "process_name" : "sleep" , "process_file_name" : "sleep" , "process_self_exec_id" : "8" , "process_parent_process_id" : "2047" , "process_cpu_clock_cycles" : "2082047" , "process_real_group_id" : "1000" , "process_real_user_id" : "1000" , "process_command_line_arguments" : "sleep 100" , "process_state" : "RUNNING" , "process_pid_namespace" : "4026531836" , "process_mount_points_namespace" : "4026531841" , "process_network_namespace" : "4026531840" , "process_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "process_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "process_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "process_file_size_bytes" : "35336" , "process_folder_path" : "/usr/bin/" , "process_creation_time_iso_8601_ns" : "2025-09-15T13:58:35.624512074+00:00" , "process_container_id" : "" } } { "name" : "thread_created" , "process_details" : { "process_id" : "2089" , "process_name" : "sleep" , "process_file_name" : "sleep" , "process_self_exec_id" : "8" , "process_parent_process_id" : "2047" , "process_cpu_clock_cycles" : "2082047" , "process_real_group_id" : "1000" , "process_real_user_id" : "1000" , "process_command_line_arguments" : "sleep 100" , "process_state" : "RUNNING" , "process_pid_namespace" : "4026531836" , "process_mount_points_namespace" : "4026531841" , "process_network_namespace" : "4026531840" , "process_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "process_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "process_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "process_file_size_bytes" : "35336" , "process_folder_path" : "/usr/bin/" , "process_creation_time_iso_8601_ns" : "2025-09-15T13:58:35.624512074+00:00" , "process_container_id" : "" }, "thread_details" : { "thread_id" : "2089" , "thread_self_exec_id" : "8" , "thread_exit_state" : "0" } } { "name" : "new_file_mapped" , "process_details" : { "process_id" : "2089" , "process_name" : "sleep" , "process_file_name" : "sleep" , "process_self_exec_id" : "8" , "process_parent_process_id" : "2047" , "process_cpu_clock_cycles" : "2082047" , "process_real_group_id" : "1000" , "process_real_user_id" : "1000" , "process_command_line_arguments" : "sleep 100" , "process_state" : "RUNNING" , "process_pid_namespace" : "4026531836" , "process_mount_points_namespace" : "4026531841" , "process_network_namespace" : "4026531840" , "process_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "process_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "process_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "process_file_size_bytes" : "35336" , "process_folder_path" : "/usr/bin/" , "process_creation_time_iso_8601_ns" : "2025-09-15T13:58:35.624512074+00:00" , "process_container_id" : "" }, "process_memory_details" : { "process_id" : "2089" , "virtual_memory_area_start_address" : "101967991353344" , "virtual_memory_area_end_address" : "101967991369728" , "memory_permissions" : "r-x" , "virtual_memory_area_file_structure" : "18387451888125847296" , "is_main_process_executable" : "1" , "file_path" : "/usr/bin/sleep" , "file_name" : "sleep" }, "process_attestation_details" : { "elf_file_inode_number" : "14287898" , "elf_file_name" : "sleep" , "elf_file_path" : "/usr/bin/sleep" , "elf_file_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "elf_file_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "elf_file_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "elf_file_size_bytes" : "35336" , "elf_file_process_executable_state" : "1" , "elf_file_type" : "ET_DYN + INTERP segment - Executable file" } } { "name" : "foreign_binary_executed" , "process_details" : { "process_id" : "2089" , "process_name" : "sleep" , "process_file_name" : "sleep" , "process_self_exec_id" : "8" , "process_parent_process_id" : "2047" , "process_cpu_clock_cycles" : "2082047" , "process_real_group_id" : "1000" , "process_real_user_id" : "1000" , "process_command_line_arguments" : "sleep 100" , "process_state" : "RUNNING" , "process_pid_namespace" : "4026531836" , "process_mount_points_namespace" : "4026531841" , "process_network_namespace" : "4026531840" , "process_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "process_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "process_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "process_file_size_bytes" : "35336" , "process_folder_path" : "/usr/bin/" , "process_creation_time_iso_8601_ns" : "2025-09-15T13:58:35.624512074+00:00" , "process_container_id" : "" }, "process_memory_details" : { "process_id" : "2089" , "virtual_memory_area_start_address" : "101967991353344" , "virtual_memory_area_end_address" : "101967991369728" , "memory_permissions" : "r-x" , "virtual_memory_area_file_structure" : "18387451888125847296" , "is_main_process_executable" : "1" , "file_path" : "/usr/bin/sleep" , "file_name" : "sleep" }, "process_attestation_details" : { "elf_file_inode_number" : "14287898" , "elf_file_name" : "sleep" , "elf_file_path" : "/usr/bin/sleep" , "elf_file_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "elf_file_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "elf_file_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "elf_file_size_bytes" : "35336" , "elf_file_process_executable_state" : "1" , "elf_file_type" : "ET_DYN + INTERP segment - Executable file" } } { "name" : "new_file_mapped" , "process_details" : { "process_id" : "2089" , "process_name" : "sleep" , "process_file_name" : "sleep" , "process_self_exec_id" : "8" , "process_parent_process_id" : "2047" , "process_cpu_clock_cycles" : "2082047" , "process_real_group_id" : "1000" , "process_real_user_id" : "1000" , "process_command_line_arguments" : "sleep 100" , "process_state" : "RUNNING" , "process_pid_namespace" : "4026531836" , "process_mount_points_namespace" : "4026531841" , "process_network_namespace" : "4026531840" , "process_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "process_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "process_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "process_file_size_bytes" : "35336" , "process_folder_path" : "/usr/bin/" , "process_creation_time_iso_8601_ns" : "2025-09-15T13:58:35.624512074+00:00" , "process_container_id" : "" }, "process_memory_details" : { "process_id" : "2089" , "virtual_memory_area_start_address" : "135366862262272" , "virtual_memory_area_end_address" : "135366862438400" , "memory_permissions" : "r-x" , "virtual_memory_area_file_structure" : "18387451615680367360" , "is_main_process_executable" : "0" , "file_path" : "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" , "file_name" : "ld-linux-x86-64.so.2" }, "process_attestation_details" : { "elf_file_inode_number" : "14321201" , "elf_file_name" : "ld-linux-x86-64.so.2" , "elf_file_path" : "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" , "elf_file_hash_sha256" : "4f961aefd1ecbc91b6de5980623aa389ca56e8bfb5f2a1d2a0b94b54b0fde894" , "elf_file_hash_sha1" : "d6878eaa6b21fc4eee9d5e441bbf2df102f850aa" , "elf_file_hash_md5" : "9d4fdd5d382e1212c9f793974ee0f44a" , "elf_file_size_bytes" : "236616" , "elf_file_process_executable_state" : "0" , "elf_file_type" : "ET_DYN - Shared object" } } { "name" : "foreign_library_loaded" , "process_details" : { "process_id" : "2089" , "process_name" : "sleep" , "process_file_name" : "sleep" , "process_self_exec_id" : "8" , "process_parent_process_id" : "2047" , "process_cpu_clock_cycles" : "2082047" , "process_real_group_id" : "1000" , "process_real_user_id" : "1000" , "process_command_line_arguments" : "sleep 100" , "process_state" : "RUNNING" , "process_pid_namespace" : "4026531836" , "process_mount_points_namespace" : "4026531841" , "process_network_namespace" : "4026531840" , "process_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "process_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "process_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "process_file_size_bytes" : "35336" , "process_folder_path" : "/usr/bin/" , "process_creation_time_iso_8601_ns" : "2025-09-15T13:58:35.624512074+00:00" , "process_container_id" : "" }, "process_memory_details" : { "process_id" : "2089" , "virtual_memory_area_start_address" : "135366862262272" , "virtual_memory_area_end_address" : "135366862438400" , "memory_permissions" : "r-x" , "virtual_memory_area_file_structure" : "18387451615680367360" , "is_main_process_executable" : "0" , "file_path" : "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" , "file_name" : "ld-linux-x86-64.so.2" }, "process_attestation_details" : { "elf_file_inode_number" : "14321201" , "elf_file_name" : "ld-linux-x86-64.so.2" , "elf_file_path" : "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" , "elf_file_hash_sha256" : "4f961aefd1ecbc91b6de5980623aa389ca56e8bfb5f2a1d2a0b94b54b0fde894" , "elf_file_hash_sha1" : "d6878eaa6b21fc4eee9d5e441bbf2df102f850aa" , "elf_file_hash_md5" : "9d4fdd5d382e1212c9f793974ee0f44a" , "elf_file_size_bytes" : "236616" , "elf_file_process_executable_state" : "0" , "elf_file_type" : "ET_DYN - Shared object" } } { "name" : "new_file_mapped" , "process_details" : { "process_id" : "2089" , "process_name" : "sleep" , "process_file_name" : "sleep" , "process_self_exec_id" : "8" , "process_parent_process_id" : "2047" , "process_cpu_clock_cycles" : "2082047" , "process_real_group_id" : "1000" , "process_real_user_id" : "1000" , "process_command_line_arguments" : "sleep 100" , "process_state" : "RUNNING" , "process_pid_namespace" : "4026531836" , "process_mount_points_namespace" : "4026531841" , "process_network_namespace" : "4026531840" , "process_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "process_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "process_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "process_file_size_bytes" : "35336" , "process_folder_path" : "/usr/bin/" , "process_creation_time_iso_8601_ns" : "2025-09-15T13:58:35.624512074+00:00" , "process_container_id" : "" }, "process_memory_details" : { "process_id" : "2089" , "virtual_memory_area_start_address" : "135366858407936" , "virtual_memory_area_end_address" : "135366860013568" , "memory_permissions" : "r-x" , "virtual_memory_area_file_structure" : "18387451615680368896" , "is_main_process_executable" : "0" , "file_path" : "/usr/lib/x86_64-linux-gnu/libc.so.6" , "file_name" : "libc.so.6" }, "process_attestation_details" : { "elf_file_inode_number" : "14321204" , "elf_file_name" : "libc.so.6" , "elf_file_path" : "/usr/lib/x86_64-linux-gnu/libc.so.6" , "elf_file_hash_sha256" : "de259f5276c4a991f78bf87225d6b40e56edbffe0dcbc0ffca36ec7fe30f3f77" , "elf_file_hash_sha1" : "5b02e178d9ded9b8c37a605e7a233687aa45f72f" , "elf_file_hash_md5" : "289071786eab0c1910da49b2b1bfd377" , "elf_file_size_bytes" : "2125328" , "elf_file_process_executable_state" : "0" , "elf_file_type" : "ET_DYN + INTERP segment - Executable file" } } { "name" : "foreign_library_loaded" , "process_details" : { "process_id" : "2089" , "process_name" : "sleep" , "process_file_name" : "sleep" , "process_self_exec_id" : "8" , "process_parent_process_id" : "2047" , "process_cpu_clock_cycles" : "2082047" , "process_real_group_id" : "1000" , "process_real_user_id" : "1000" , "process_command_line_arguments" : "sleep 100" , "process_state" : "RUNNING" , "process_pid_namespace" : "4026531836" , "process_mount_points_namespace" : "4026531841" , "process_network_namespace" : "4026531840" , "process_hash_sha256" : "4a193eb6f25eecf27bad523cb8a53ec4d40775eb498f44760b19bfc421cc90aa" , "process_hash_sha1" : "bab62b22ddb568b245ebc0132200a5e2ddd8577c" , "process_hash_md5" : "ecdb9cd1468ff7151564b334b73161f5" , "process_file_size_bytes" : "35336" , "process_folder_path" : "/usr/bin/" , "process_creation_time_iso_8601_ns" : "2025-09-15T13:58:35.624512074+00:00" , "process_container_id" : "" }, "process_memory_details" : { "process_id" : "2089" , "virtual_memory_area_start_address" : "135366858407936" , "virtual_memory_area_end_address" : "135366860013568" , "memory_permissions" : "r-x" , "virtual_memory_area_file_structure" : "18387451615680368896" , "is_main_process_executable" : "0" , "file_path" : "/usr/lib/x86_64-linux-gnu/libc.so.6" , "file_name" : "libc.so.6" }, "process_attestation_details" : { "elf_file_inode_number" : "14321204" , "elf_file_name" : "libc.so.6" , "elf_file_path" : "/usr/lib/x86_64-linux-gnu/libc.so.6" , "elf_file_hash_sha256" : "de259f5276c4a991f78bf87225d6b40e56edbffe0dcbc0ffca36ec7fe30f3f77" , "elf_file_hash_sha1" : "5b02e178d9ded9b8c37a605e7a233687aa45f72f" , "elf_file_hash_md5" : "289071786eab0c1910da49b2b1bfd377" , "elf_file_size_bytes" : "2125328" , "elf_file_process_executable_state" : "0" , "elf_file_type" : "ET_DYN + INTERP segment - Executable file" } }

Done.

Boris Kovalev Boris Kovalev has worked for the past several years as a Solutions Architect, focusing on NVIDIA Networking/Mellanox technology, and is responsible for complex machine learning, Big Data and advanced VMware-based cloud research and design. Boris previously spent more than 20 years as a senior consultant and solutions architect at multiple companies, most recently at VMware. He has written multiple reference designs covering VMware, machine learning, Kubernetes, and container solutions which are available at the NVIDIA Documents website.

NVIDIA, the NVIDIA logo, and BlueField are trademarks and/or registered trademarks of NVIDIA Corporation in the U.S. and other countries. Other company and product names may be trademarks of the respective companies with which they are associated. TM

© 2025 NVIDIA Corporation. All rights reserved.

