Node Analyzer: Multi-Feature Installation

What Is the Node Analyzer?

The Node Analyzer (NA) provides a method for deploying the components for three different Sysdig Secure features:

  • (Node) Image Analyzer: an existing tool that can now be installed and/or upgraded in a new way, alongside the other two components.

  • Benchmarks (v2): Installs a new component (called a benchmark runner) which is required to use Benchmarks v2, including an updated interface and new improved features. The legacy Benchmark tool can still be accessed.

    The Benchmarks portion of the Node Analyzer install currently available on Sysdig Secure SaaS only.

  • **Host Scanning:**a new tool for scanning not just the images/containers on a host, but the host itself.

Installation Options

All the Node Analyzer components, along with the Sysdig agent, are deployed per node or host. You can deploy them using various methods:

Fresh Install: Agent + Node Analyzer

If you are installing Sysdig Secure for the first time and have not yet deployed any agents, you can use a single-line install to deploy both the Sysdig agent and the Node Analyzer (NA) tools. The script will make changes to each node or host within a cluster.

curl -s 
https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s
-- --access_key ACCESS_KEY --collector COLLECTOR_URL --collector_port 6443 --nodeanalyzer --api_endpoint API_ENDPOINT

For SaaS, see also the Get Started page in Sysdig Secure. Under “Connect Your Data Sources,” the script is generated with your endpoints automatically inserted.

On-Premises with Self-Signed Cert:

If you want the Node Analyzer to report to an On-Prem Sysdig backend that uses a self-signed certificate, then: Add -cc false to the command line so the node analyzer will accept it.

To find the values yourself:

  • access_key: This is the agent access key. You can retrieve this from Settings > Agent Installation in the Sysdig Secure UI.

  • collector_url: This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. (It is a custom value in on-prem installations.)

  • api_endpoint: This is the base URL ( region-dependent) for Sysdig Secure and is auto-completed on the Get Started page. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com.

When finished, you can Access the Node Analyzer Features.

Upgrade/Install Node Analyzer Tools Only

Use this script in the following conditions:

  • Agent is already installed, you just want the NA tools

  • Node Image Analyzer already installed; you want to upgrade it to v2

  • You want to add Benchmarks v2 and Host Scanning features to your existing Sysdig Secure environment, as well as upgrade or install the Image Analyzer.

Note that if you already have the Node Image Analyzer (v1) installed, this script will upgrade that component automatically. An agent MUST already be installed. The script will make changes to every node in the cluster.

curl -s https://download.sysdig.com/stable/install-node-analyzer | sudo bash -s -- --api_endpoint API_ENDPOINT

When finished, you can Access the Node Analyzer Features.

Daemonset Install

To deploy the Node Analyzer using Kubernetes daemonsets, download the following configuration files, edit them as annotated within the files, and deploy them.

To deploy the Node Analyzer concurrently with the Sysdig agent, you would also download the sysdig-agent-clusterrole.yaml, sysdig-agent-daemonset-v2.yaml, and sysdig-agent-configmap.yaml and deploy them as described in Agent Install: Kubernetes.

You need to deploy these YAMLs after installing the Sysdig agent in the same nodes, and also in the same namespace (sysdig-agent by default).

When finished, you can Access the Node Analyzer Features.

Install with Helm

Use the “Sysdig” Helm chart, which installs the Sysdig agent and the Node Analyzer, with the following commands:

helm repo add sysdig https://charts.sysdig.com
helm repo update
helm install sysdig-agent --set sysdig.accessKey=ACCESS_KEY --set sysdig.settings.collector=COLLECTOR_URL --set sysdig.settings.collector_port=6443 sysdig/sysdig --set nodeAnalyzer.collectorEndpoint=API_ENDPOINT

To find the values:

  • access_key: This is the agent access key. You can retrieve this from Settings > Agent Installation in the Sysdig Secure UI.

  • collector_url: This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. (It is a custom value in on-prem installations.)

  • api_endpoint: This is the base URL ( region-dependent) for Sysdig Secure and is auto-completed on the Get Started page. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com.

Access the Node Analyzer Features

Log in to Sysdig Secure and check that the features are working as expected.

Confirm the Image Analyzer: is functioning

  1. Select Scanning > Image Results.

  2. Check for scanned container image results that originate with the Sysdig Node Image Analyzer.

Use Benchmarks (v2)

The Benchmarks portion of the Node Analyzer install currently available on Sysdig Secure SaaS only.

  1. Select Compliance > Benchmarks |Tasks.

  2. Either configure a new task or review your upgraded tasks. Click a line item to see the associated benchmark report.

    Your active team scope is applied when loading benchmarks results. Log in with the broadest team and user credentials to see the full report.

Use Host Scanning to check vulnerabilities in hosts or nodes, both for operation system packages (e.g. rpm, dpkg) and non-operating system packages (e.g. Java packages, Ruby gems).

  1. Select Scanning > Hosts.

  2. Review the Host vulnerabilities listed.

    Your active team scope is applied when loading host scanning results. Log in with the broadest team and user credentials to see the full report.

Alternate Install Cases

The installation options above should be sufficient for the majority of users; the options below allow for customizations and special cases.

Running Node Analyzer Behind a Proxy

Depending on your organization’s network design, you may require the HTTP requests from Node Analyzer features to pass through a proxy in order to reach the Sysdig Secure backend. To do so, you must edit all three configmaps:

These are in the sysdig-agent namespace by default.

Configure the following variables:

  • http_proxy/https_proxy Use with the relevant proxy URL, e.g. http://my_proxy_address:8080.

    In most cases, it is enough to specify http_proxy. as it applies to HTTPS connections as well.

  • no_proxy Use this parameter to exclude certain subnets from using the proxy, adding a comma-separated exclusion list, e.g. 127.0.0.1,localhost,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8

If the proxy server requires authentication it is possible to specify credentials in the URL, e.g. http://username:password@my_proxy:8080.

Running in a Non-Kubernetes Environment

This is handled per-component.

Benchmarks (Non-Kubernetes)

It is possible to deploy the benchmark runner as a single Docker container:

docker run -d -v /:/host:ro -v /tmp:/host/tmp --privileged --network host --pid host -e BACKEND_ENDPOINT=https://<sysdig_backend_endpoint> -e ACCESS_KEY=<Sysdig agent access key> -e BACKEND_VERIFY_TLS=false -e TAGS=<custom_tags> quay.io/sysdig/compliance-benchmark-runner:latest
  • Note: If you don’t want to pass the access key directly via the command line, consider using an alternative method of passing environment variables, such as docker-compose.

  • The BACKEND_ENDPOINT is only required if for Sysdig on-prem or when using a Sysdig SaaS region other than US-EAST.

    For example, for the EU SaaS endpoint would be: https://eu1.app.sysdig.com.

    See also: SaaS Regions and IP Ranges.

  • BACKEND_VERIFY_TLS=false is only needed if you are using an on-prem backend with a self-signed certificate.

  • TAGS: The list of tags for the host where the agent is installed. For example: “role:webserver, location:europe”, “role:webserver” or “webserver”.

Image Analyzer (Non-Kubernetes)

It is also possible to run the image analyzer as a single Docker container:

docker run -d -v /var/run:/var/run --privileged --network host -e AM_COLLECTOR_ENDPOINT=https://<sysdig_backend_endpoint>/internal/scanning/scanning-analysis-collector -e ACCESS_KEY=<Sysdig agent access key> -e VERIFY_CERTIFICATE=false quay.io/sysdig/node-image-analyzer:latest
  • Note: If you don’t want to pass the access key directly via the command line, consider using an alternative method of passing environment variables, such as docker-compose.

  • The AM_COLLECTOR_ENDPOINT is only required if for Sysdig on-prem or when using a Sysdig SaaS region other than US-EAST.

    For example, for the EU SaaS endpoint would be: https://eu1.app.sysdig.com/internal/scanning/scanning-analysis-collector .

    See also: SaaS Regions and IP Ranges.

  • VERIFY_CERTIFICATE=false is only needed if you are using an on-prem backend with a self-signed certificate.

Host Scanning (Non-Kubernetes)

To install the Host Scanning component in a non-Kubernetes environment, you can use:

docker run -d -v /:/host:ro --privileged \-e AM_COLLECTOR_ENDPOINT=https://<sysdig_backend_endpoint>/internal/scanning/scanning-analysis-collector \-e ACCESS_KEY=<Sysdig agent access key> \-e VERIFY_CERTIFICATE=false \-e SCHEDULE=@dailydefault /quay.io/sysdig/host-analyzer:latest
  • Note: If you don’t want to pass the access key directly via the command line, consider using an alternative method of passing environment variables, such as docker-compose.

  • The BACKEND_ENDPOINT is only required if for Sysdig on-prem or when using a Sysdig SaaS region other than US-EAST.

    For example, for the EU SaaS endpoint would be: https://eu1.app.sysdig.com.

    See also: SaaS Regions and IP Ranges.

  • BACKEND_VERIFY_TLS=false is only needed if you are using an on-prem backend with a self-signed certificate.

  • TAGS: The list of tags for the host where the agent is installed. For example: “role:webserver, location:europe”, “role:webserver” or “webserver”.

For Image Analyzer Component Only

These cases affect only the Image Analyzer component of the Node Analyzer installation.

Installing Image Analyzer Component Alone

It is still possible to install the image analyzer component without benchmarks or host scanning. This option normally would apply only to previous users of the former node image analyzer who want to upgrade just that component, for whatever reason.

This can be done by downloading the sysdig-image-analyzer-daemonset.yaml and sysdig-image-analyzer-configmap.yaml and deploying.

You need to deploy these YAMLs after installing the Sysdig agent in the same nodes, and also in the same namespace (sysdig-agent by default).

Kubernetes Requiring Custom Socket Path

By default, the image analyzer will automatically detect the socket to mount from:

  • Docker socket from /var/run/docker/docker.sock

  • CRI-O socket from/var/run/crio/crio.sock

  • CRI-containerd socket from/var/run/containerd/containerd.sock

Some setups require the analyzer to use custom socket paths.

If the socket is located outside /var/run, the corresponding volume must be mounted as well. You can configure it via the single line installer script or by manually editing the daemonset and configmap variables.

When using the installer, use the-cv option to mount an additional volume and add -ds -cs or -cd to specify a Docker, CRI, or CRI-containerd socket respectively.

See the script -help command for additional information.

Examples:

For K3S, which uses containerd, add:

-cd unix:///run/k3s/containerd/containerd.sock -cv /run/k3s/containerd

For Pivotal, which uses a custom path for the Docker socket, use:

-ds unix:///var/vcap/data/sys/run/docker/docker.sock -cv /var/vcap/data/sys/run/docker

Daemonset Resource Limit Considerations

During its regular operation, the Image Analyzer uses much less memory than the limit specified in the daemonset configuration. However, in some cases, processing an image may require more memory, depending, for example, on image size, content or package types.

This issue can be detected by looking for abnormal spikes in the memory usage of the Image Analyzer pods which are also showing analysis errors. In such cases we recommend trying to increase the analyzer memory usage up to three times the size of the unprocessed images, if the cluster available memory allows.

Component Configurations

Image Analyzer Configmap Options

For special cases, the image analyzer can be configured by editing the sysdig-image-analyzer configmap in the sysdig-agent namespace with the following options:

Option

Description

docker_socket_path

The Docker socket path, defaulting to unix:///var/run/docker/docker.sock

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

cri_socket_path

The socket path to a CRI compatible runtime, such as CRI-O, defaulting to unix:///var/run/crio/crio.sock.

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

containerd_socket_path

The socket path to a CRI-Containerd daemon, defaulting to unix:///var/run/containerd/containerd.sock

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

collector_endpoint

The endpoint to the Scanning Analysis collector, specified in the following format: https://<API_ENDPOINT>/internal/scanning/scanning-analysis-collector

ssl_verify_certificate

Can be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified.

debug

Can be set to "true" to show debug logging, useful for troubleshooting.

http_proxy

Proxy configuration variables.

https_proxy

no_proxy

Host Scanning Configuration Options

The analyzer component of the Host Scanning feature can be configured by editing the sysdig-host-analyzer configmap in thesysdig-agentnamespace with the following options:

OptionDescription
scheduleThe scanning schedule specification for the host analyzer expressed as a crontab string such as “5 4 * * *” (more examples). The default value of @dailydefault instructs the analyzer to automatically pick a schedule that will start shortly after it is deployed and will perform a scan every 24 hours.
dirs_to_scanThe list of directories to inspect during the scan, expressed as a comma separated list such as /etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db
collector_endpointThe endpoint to the Scanning Analysis collector, specified in the following format: https://<API_ENDPOINT>/internal/scanning/scanning-analysis-collector
max_send_attemptsThe number of times the analysis collector is allowed to retry sending results if backend communication fails
ssl_verify_certificateCan be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified.
debugCan be set to "true" to show debug logging, useful for troubleshooting.
http_proxyProxy configuration variables.
https_proxy
no_proxy

Benchmark Runner Configuration Options

The benchmark runner component can be configured by editing the sysdig-benchmark-runner configmap in the sysdig-agent namespace with the following options:

OptionDescription
collector_endpointThe Secure API endpoint, specified in the following format: https://<API_ENDPOINT>
ssl_verify_certificateCan be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified.
debugCan be set to "true" to show debug logging, useful for troubleshooting.
http_proxyProxy configuration variables.
https_proxy
no_proxy