Airgapped Agent Installation
Air-gapped environments refer to those without internet access. When starting up, the agent attempts to compile its own probes, provided that the kernel header packages are installed on the host. If it fails, the agent will try to download pre-compiled probes from the Sysdig download site, including sysdigcloud-probe-<suffix>.ko
or sysdigcloud-probe-bpf-<suffix>.o
over the internet.
However, if you are working in an air-gapped environment, you will not be able to download these artifacts from the public internet. So before installing the agent, you must compile sysdigcloud-probe-<suffix>
for each kernel version in your environment and make it available to the installed agents through an internally accessible URL.
Prerequisites
- A machine with internet access where you can download the required artifacts
- A machine in your airgapped environment where you can build your probes
- Tool to transfer artifacts to the machine in your airgapped environment
- Docker installed
Overview
Sysdig provides a tool, named the probe builder, to help you build the probes for different kernels and for a specific agent version. After downloading the required artifacts on a machine connected to the internet, you can copy them to an airgapped host, build your own probes, and make them available to your agent installations.
Update June 2023
Downloading Probe Source Code now requires downloading a.tar.gz
file as opposed to cloning the agent-libs
git repository (git clone
).Operations in a Machine with Internet Connectivity
Prepare the Sysdig Probe Builder Images
On a machine with internet connectivity, build the Sysdig probe builder container images and create a tar file of the images.
Get the probe builder source code from the repository:
$ git clone https://github.com/draios/probe-builder
Build the container image for the probe builder:
$ docker build -t airgap/sysdig-probe-builder probe-builder/
Build the images for each supported distribution-compiler combination:
$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock airgap/sysdig-probe-builder:latest -P -b airgap/
Running this command will create a different image tag for each supported combination of
distribution-compiler
, with the distro-compiler information suffixed to the image name,airgap/sysdig-probe-builder
. For example,airgap/sysdig-probe-builder:centos-gcc4.8
.Save all the above images to a tar archive:
$ docker save airgap/sysdig-probe-builder | gzip > builders.tar.gz
(optional) If you are building probes for the Ubuntu kernels, you will also need an
ubuntu:latest
image on your airgapped host. You can build it as follows:$ docker pull ubuntu $ docker save ubuntu | gzip > ubuntu.tar.gz
Download the Kernel Packages
Download your kernel packages. For more information, see Downloading Kernel Packages.
Download Probe Source Code
You need to download the probe source code for a specific agent version you want to build your probes for.
Update Agent 13.1.0
Starting from Agent version 13.1.0 the probe source code has been separated into two archives, one for kmodule
and the other one for ebpf
(legacy eBPF).
If you wish to build a legacy eBPF probe, for example for 13.1.0, use:
$ AGENT_VERSION=13.1.0
$ curl -o agent-legacy-ebpf-${AGENT_VERSION}.tar.gz https://download.sysdig.com/stable/tgz/x86_64/draios-${AGENT_VERSION}-x86_64-agent-legacy-ebpf.tar.gz
For example, for agent version 12.14.0
you would use:
$ AGENT_VERSION=12.14.0
$ curl -o agent-kmodule-${AGENT_VERSION}.tar.gz https://download.sysdig.com/stable/tgz/x86_64/draios-${AGENT_VERSION}-x86_64-agent-kmodule.tar.gz
Transfer the Downloaded Files
Copy the artifacts you have built and/or downloaded to the airgapped host machine:
builders.tar.gz
ubuntu.tar.gz
(if needed, see above)agent-kmodule-${AGENT_VERSION}.tar.gz
- Downloaded kernel packages
Operations in the Airgapped Host
Load the Builder Images
$ zcat builders.tar.gz | docker load
Unpack the Sysdig Source
$ tar --transform='s/^opt\/draios\/src\///' -xzf agent-kmodule-${AGENT_VERSION}.tar.gz
Running this command will create the draios-agent-${AGENT_VERSION}/
directory under the current directory (removing the opt/draios/src/
prefix from the path).
Move the Kernel Packages to a Dedicated Location
Make sure you have all the downloaded kernel package artifacts in a single directory, /directory-containing-kernel-packages/
, for each distribution you want to support.
Run the Probe Builder
Now that you have all your requirements in place, you can run the main probe builder:
$ AGENT_VERSION=12.14.0
$ docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /a-directory-with-some-free-space/:/workspace \
-v /wherever-you-unpacked/draios-agent-${AGENT_VERSION}/:/sysdig \
-v /directory-containing-kernel-packages/:/kernels \
airgap/sysdig-probe-builder:latest -B -b airgap/ -- \
-p sysdigcloud-probe -v ${AGENT_VERSION} -k CustomCentOS
The probes will appear in /a-directory-with-some-free-space/output
.
That directory must be served over HTTP or HTTPS.
As an example, the following sections describe how you can deploy your own nginx
server within your cluster and upload your probes there.
Serve Your Pre-Compiled Probes
Set up a local repository to host the pre-compiled kernel module. For example, use nginx with the following command:
$ docker run --rm -v /a-directory-with-some-free-space/output:/usr/share/nginx/html/stable/sysdig-probe-binaries -p 80:80 nginx
Note the host/port part of the URL and use it as the SYSDIG_PROBE_URL
while installing the agent.
Operations on the hosts where the Agent is installed
Use the Probes with the Agent
To use the probes with the agent, you have to set the SYSDIG_PROBE_URL
environment variable as the URL you’ve created above. This variable specifies the URL of the location where the Sysdig probes are available for download. This allows the Sysdig agent to locate and download the locally compiled probe during startup.
Make the necessary changes to the On-Prem Agent installation instructions as given below:
Install Agent in a Kubernetes Environment
Append the arguments below to your Helm install command.
- Agent Slim installation (default)
--set agent.daemonset.kmodule.env.SYSDIG_PROBE_URL=http://www.mywebserver.net:80
- Agent non-slim installation (–set agent.slim.enabled=false)
--set agent.daemonset.env.SYSDIG_PROBE_URL=http://www.mywebserver.net:80
Continue with the instructions in the On-Prem Agent Installation.
Install Agent in a Docker Environment
Install Sysdig agent by pointing
SYSDIG_PROBE_URL
to the local repository:For docker-based installations, add the following argument to the
docker run
command line:-e SYSDIG_PROBE_URL=http://www.mywebserver.net:80/
For instance, your
docker run
command line might look like the following:docker run -d --name sysdig-agent --restart always --privileged --net host --pid host \ -e ACCESS_KEY=WWWWW-YYYY-XXXX-ZZZZ-123456789 -e SECURE=true \ -e SYSDIG_PROBE_URL=http://www.mywebserver.net:80/ \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /usr:/host/usr:ro \ --shm-size=512m \ sysdig/agent
Where
-e SYSDIG_PROBE_URL=http://www.mywebserver:80/
is the localnginx
web server with the loaded module.Note: To use HTTPS communication with a self-signed or untrusted certificate, also add the
-e SYSDIG_PROBE_INSECURE_DOWNLOAD=true
environment variable to the above command line.Check the agent log. If the installation is successful, you will see a message as follows:
Evaluating override of environment variables Trying to download precompiled module from http://mywebserver:80/stable/sysdig-probe-binaries/sysdigcloud-probe-<version> Download succeeded
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.